Multi-hop SSH

The servers (calculations, preview, data) are sometimes behind several firewalls or gateways (or multi-hop SSH , “rebonds” SSH in French). The SSH documentation explains how to pass a single gateway ( ProxyCommand option). It is possible to cumulate this system of “bridge jump” several times. For this example, we will detail multi-hop SSH from the network shown below.

Connection from "poste Chercheur" to front machine "vizu.psmn" via multihop SSH

Caption :

  • black : physical link
  • blue : standard ssh connection
  • red : virtual ssh connection (multi-hop)
  • green : NFs links (/home)

The Poste Chercheur (your computer!) reach the server vizu.psmn through 2 SSH gateways (red path).

From au Mac/Linux/BSD machine

Manual multihop

We are going to manually accumulate connections (blue paths):

user@postechercheur:~$ ssh ssh.ens-lyon.fr
user@ssh.ens-lyon.fr:~$ ssh allo-psmn
user@allo-psmn:~$ ssh vizu.psmn
user@vizu.psmn:~$

This manual operation can be automatize.

Automated multihop

You need to add the gateways and target servers entries in the ~ / .ssh / config file on the postechercheur . By adding up the different connections as you go.

  • ~/.ssh/config file on postechercheur
~/.ssh/config
Host ssh-ens
  User user
  HostName ssh.ens-lyon.fr

Host allo-psmn
  User user
  ProxyCommand ssh -qt ssh-ens tcpconnect allo-psmn.ens-lyon.fr %p

Host vizu.psmn
  User user
  ProxyCommand ssh -qt allo-psmn netcat -w1 vizu.psmn.ens-lyon.fr %p

(A more compete configuration file is available on this page)

That's it. You can now connect to vizu.psmn from postechercheur in one command!

user@postechercheur:~$ ssh vizu.psmn

user@vizu.psmn:~$

It also works with the scp command.

The configuration and explanations on the automation of the login steps with an SSH-agent-ssh are explained here.

From a Windows machine

Multi-hop with PuTTY (Windows)

See the use of plink & PuTTY

en/documentation/tutorials/ssh/multihop_ssh.txt · Dernière modification: 2018/06/21 11:29 par ltaulell