How do I use putty (and/or plink) command line to forward through 2 intermediate hosts to a database?

Solution 1:

With the release of PuTTY 0.68 plink got a new command line option called -proxycmd. Using this new functionality yields a more robust less cluttered solution to the problem IMHO.

Unfortunately there is not much help for the -proxycmd option. It does execute a local command and uses it as a proxy. One can use even plink with the -nc option to create a tunnel up to the db access host.

For your topology the command executed on desktop machines this on the command prompt looks like this:

plink -A ^
  -proxycmd "plink -A -nc DBACCESS:22 user@BASTION" ^
  -L 6035:DBHOST:3306 ^
  user@DBACCESS

Note: For a password less login peagent must be running on the desktop host and have the appropriate keys loaded. As already mentioned in the comments, agent forwarding must be enabled on the bastion hosts to make it work seamlessly.

The connection looks like the ASCII art below. An outer tunnel goes up to the host db access via the proxy command. Encapsulated in the tunnel runs plink and establishes the port forward to the db host.

 ┌────────────┐    ┌────────────┐    ┌────────────┐    ┌────────────┐
 │            │    │            │    │            │    │            │
 │            ─────────────────────────────       │    │            │
 │                      (1)                       │    │            │  
 │           ────────────────────────────────────────────           │
 │                      (2)                                         │
 │           ────────────────────────────────────────────           │
 │            ─────────────────────────────       │    │            │
 │  desktop   │    │  bastion   │    │  db access │    │  db 3306   │
 │  (windows) │    │  (linux)   │    │  (linux)   │    │  (mysql)   │
 └────────────┘    └────────────┘    └────────────┘    └────────────┘

 1) Tunnel via `-proxycmd "plink -A -nc DBACCESS:22 user@BASTION"`
 2) Proxied `plink` connection with port forward `-L 6035:DBHOST:3306`