How do I use putty (and/or plink) command line to forward through 2 intermediate hosts to a database?
Solution 1:
With the release of PuTTY 0.68 plink
got a new command line option
called -proxycmd
. Using this new functionality yields a more robust less
cluttered solution to the problem IMHO.
Unfortunately there is not much help for the -proxycmd
option. It does
execute a local command and uses it as a proxy. One can use even plink
with the -nc
option to create a tunnel up to the db access
host.
For your topology the command executed on desktop
machines this on the
command prompt looks like this:
plink -A ^
-proxycmd "plink -A -nc DBACCESS:22 user@BASTION" ^
-L 6035:DBHOST:3306 ^
user@DBACCESS
Note: For a password less login peagent
must be running on the desktop
host and have the appropriate keys loaded. As already mentioned in
the comments, agent forwarding must be enabled on the bastion
hosts to
make it work seamlessly.
The connection looks like the ASCII art below. An outer
tunnel goes up to the host db access
via the proxy command.
Encapsulated in the tunnel runs plink
and establishes the
port forward to the db
host.
┌────────────┐ ┌────────────┐ ┌────────────┐ ┌────────────┐
│ │ │ │ │ │ │ │
│ ───────────────────────────── │ │ │
│ (1) │ │ │
│ ──────────────────────────────────────────── │
│ (2) │
│ ──────────────────────────────────────────── │
│ ───────────────────────────── │ │ │
│ desktop │ │ bastion │ │ db access │ │ db 3306 │
│ (windows) │ │ (linux) │ │ (linux) │ │ (mysql) │
└────────────┘ └────────────┘ └────────────┘ └────────────┘
1) Tunnel via `-proxycmd "plink -A -nc DBACCESS:22 user@BASTION"`
2) Proxied `plink` connection with port forward `-L 6035:DBHOST:3306`