Multi-hop SSH

The servers (calculations, preview, data) are sometimes behind several firewalls or gateways (or multi-hop SSH , “rebonds” SSH in French). The SSH documentation explains how to pass a single gateway ( ProxyCommand option). It is possible to cumulate this system of “bridge jump” several times. For this example, we will detail multi-hop SSH from the network shown below.

Connection from "poste Chercheur" to front machine "vizu.psmn" via multihop SSH

Caption :

  • black : physical link
  • blue : standard ssh connection
  • red : virtual ssh connection (multi-hop)
  • green : NFs links (/home)

The Poste Chercheur (your computer!) reach the server vizu.psmn through 2 SSH gateways (red path).

From a Mac/Linux/BSD machine

Manual multihop

We are going to manually accumulate connections (blue paths):

user@postechercheur:~$ ssh$ ssh allo-psmn
user@allo-psmn:~$ ssh vizu.psmn

These manual operations can be automatized.

Automated multihop

You need to add the gateways and target servers entries in the ~/.ssh/config file on the postechercheur . By adding up the different connections as you go.

  • ~/.ssh/config file on postechercheur
Host ssh-ens
  User user

Host allo-psmn
  User user
  ProxyCommand ssh -qt ssh-ens tcpconnect %p

Host vizu.psmn
  User user
  ProxyCommand ssh -qt allo-psmn netcat -w1 %p

(A more compete configuration file is available on this page)

That's it. You can now connect to vizu.psmn from postechercheur in one command!

user@postechercheur:~$ ssh vizu.psmn


It also works with the scp command.

The configuration and explanations on the automation of the login steps with an SSH-agent are explained here.

From a Windows machine

Multi-hop with PuTTY (Windows)

See the use of plink & PuTTY

en/documentation/tutorials/ssh/multihop_ssh.txt · Dernière modification: 2020/04/14 15:12 par ltaulell