Secure copy uucp style
I often have the case that I have to make a lot of hops to the remote host, just because there is no direct routing between my client and the remote host. When I need to copy files from a remote host two or more hops away, I always have to:
client$ ssh host1
host1$ ssh host2
host2$ scp host3:/myfile .
host2$ exit
host1$ scp host2:myfile .
host1$ exit
client$ scp host1:myfile .
Back when uucp still was being used this would be as simple as a
uucp host1!host2!host3 /myfile .
I know that there's uucp over ssh, but unfortunately I don't have the proper privileges on those machines to set it up. Also, I'm not sure if I really want to fiddle around with customer's machines.
Does anyone know of a method doing this tasks without the need to setup a lot of tunnels or deploying new software to remote hosts? Maybe some kind of recursive script which clones itself to all the remote hosts, doing the hard work for me?
Assume that authentication takes place with public keys and that all hosts do SSH Agent Forwarding.
Edit: I'm not looking for a way to automatically forwarding my interactive sesssion to the nexthop host. I want a solution to copy files bangpath-style using scp via multiple hops without the need to install uucp on any of those machines. I don't have the (legal) rights or the privileges to make permanent changes to the ssh-config. Also, I'm sharing this username and hosts with a lot of other people. I'm willing to hack up my own script, but I wanted to know if anyone knows something which already does it. Minimum-invasive changes to hosts on the bangpath, simple invocation from the client.
Edit 2: To give you an impression of how it's properly been done in interactive sessions, have a look at the GXPC clustershell. This is basically a Python-script, which spwans itself over to all remote hosts which have connectivity and where your ssh-key is installed. The great thing about it is, that you can tell "I can reach HostC via HostB via HostA." It just works. I want to have this for scp.
Solution 1:
ssh host1 ssh host2 ssh host3 cat /myfile > myfile ? :)
UPD. (2014-01-20): Recently I came across man dbclient which mentions: «…
-B endhost:endport — "Netcat-alike" mode, where Dropbear will connect to the given host, then create a forwarded connection to endhost. This will then be presented as dbclient's standard input/output.
Dropbear will also allow multiple "hops" to be specified, separated by commas. In this case a connection will be made to the first host, then a TCP forwarded connection will be made through that to the second host, and so on. Hosts other than the final destination will not see anything other than the encrypted SSH stream. A port for a host can be specified with a slash (eg matt@martello/44 ). This syntax can also be used with scp or rsync (specifying dbclient as the ssh/rsh command). A file can be "bounced" through multiple SSH hops, eg
scp -S dbclient matt@martello,root@wrt,canyons:/tmp/dump .Note that hostnames are resolved by the prior hop (so "canyons" would be resolved by the host "wrt") in the example above, the same way as other -L TCP forwarded hosts are. Host keys are checked locally based on the given hostname.
Solution 2:
If your version of scp comes from a reasonably recent version of openssh then you may be able to use the ProxyJump option: scp -o Proxyjump=firsthop.example.com,secondhop.example.com /path/to/file destination.example.com:/where/to/put/it This relies on forwarding one ssh connection over the other but in a transient fashion rather than by setting up a listening port. Because of this it doesn't require any special set up on the intermediate hosts other than sshd allowing the ability to make connections to remote ports.