In this tutorial we will learn how to SSH or SCP through a proxy server (jump host)
SCP through a proxy server
Method-1: Using scp with ProxyJump
With openssh package version 7.4p1-11 or later, we can use ProxyJump option to transfer files using a proxy server. The syntax of the scp command to transfer files via proxy is :
~]# scp -o "ProxyJump <User>@<Proxy-Server>" <File-Name> <User>@<Destination-Server>:<Destination-Path>
For example :
~]# scp -o "ProxyJump user@10.23.100.70" dataFile.txt user@192.168.10.100:/tmp user@10.23.100.70's password: user@192.168.10.100's password: dataFile.txt 100% 5 0.0KB/s 00:00
Here my proxy server is 10.23.100.70 while the destination server is 192.168.10.100
Method-2: Using scp with ProxyCommand
SCP uses ssh as the underlying protocol and hence we can use the ssh options along with the scp commands. The syntax to use ProxyCommand option with scp command is:
~]# scp -o "ProxyCommand ssh <user>@<Proxy-Server> nc %h %p" <File-Name> <User@<Destination-Server>:<Destination-Path>
Where:
%hwill be substituted by the host name to connect%pwill be substituted by the port
ProxyCommand option , ensure that nmap-ncat package is installed on the proxy server that provides the nc command, otherwise the following error message will be displayed.bash: nc: command not found
ssh_exchange_identification: Connection closed by remote host
lost connection
For example:
~]# scp -o "ProxyCommand ssh user@10.23.100.70 nc %h %p" dataFile.txt root@192.168.10.100:/tmp user@10.23.100.70's password: root@192.168.10.100's password: dataFile.txt 100% 5 0.0KB/s 00:00
Here my proxy server is 10.23.100.70 while the destination server is 192.168.10.100
SSH through a proxy server
Method-1: Pass ProxyCommand using ssh options
We can again use ProxyCommand to ssh another server using proxy server. The syntax to SSH via proxy would be:
~]# ssh -o "ProxyCommand ssh user_name_on_proxy@hostname_or_IP_of_proxy nc %h %p" user_name_on_server@hostname_or_IP_of_server
Example: To login as root on 192.168.10.100 via the proxy at 10.23.100.70 with login credentials on the proxy for proxy_user
~]# ssh -o "ProxyCommand ssh proxy_user@10.23.100.70 nc %h %p" root@192.168.10.100 proxy_user@10.23.100.70's password: root@192.168.10.100's password: Last login: Tue Dec 24 10:40:33 2019 from 10.23.100.70 ~]# ip a l | grep eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 inet 192.168.10.100/24 brd 192.168.1.255 scope global eth0
If the proxy server does not have the nc command installed or you do not have login credentials for the proxy server but the proxy server is running a proxy service like squid which will accept SSH connections you can use the following command. Note that this method requires that you have the nc command installed on the local/client system.
~]# ssh -o "ProxyCommand nc --proxy hostname_or_IP_of_proxy:proxy_service_port --proxy-type http %h %p" user_name_on_server@hostname_or_IP_of_server
For example, to login as root on 192.168.10.100 via the proxy service listening on port 3128 at 10.23.100.70. The proxy service does not require any credentials.
~]# ssh -o "ProxyCommand nc --proxy 10.23.100.70:3128 --proxy-type http %h %p" root@192.168.10.100 root@192.168.10.100's password: Last login: Tue Dec 24 10:40:46 2019 from 10.23.100.70 ~]# ip a l | grep eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 inet 192.168.10.100/24 brd 192.168.1.255 scope global eth0
Method-2: Using ssh client configuration file
We had discussed in the depth about SSH client configuration file. So instead of providing all the options as input arguments to SSH, we can also use SSH client configuration file.
Edit the ~/.ssh/config file per the below:
# vim ~/.ssh/config ... Host <nickname> HostName <hostname_of_server> User <user_on_server> ProxyCommand ssh <user_on_server>@<proxy_server> nc %h %p
Here,
<nickname>: Sets nickname for the target server<hostname_of_sever>: Sets the real remote server/host name<user_on_server>: Real user who exists on target server<proxy_server>: IP or the hostname` of the proxy server%hwill be substituted by the host name to connect%pwill be substituted by the port
Next you can SSH with additional verbose option to verify the configuration
~]# ssh -vvv <target_server>
Conclusion
In this tutorial we learned about different methods to SSH a Linux box using another proxy server or to transfer files using SCP via another proxy server or jump host. You can use either ProxyCommand or ProxyJump with ssh and scp respectively to ssh through any proxy service such as squid or any other proxy server.
It’s not necessary to rely on netcat, just use: