scp to remote without storing locally - scp

I have host1 and host1a on one network. And host2 and host 2a on another network. There is a file on host1a which can be only connected via host1, similarly host2s can only be connected via host2.
Host 1 and host2 can talk to each other, now I want to transfer a massive file from host1a to host2a without storing the file anywhere on host1 and host2. Is it possible? If so how?
Read from host2a, use a named pipe or something on host1 and host2 and push it all the way through to host2a
Host1a -> Host1 -> Host2 -> Host2a

You could use the ProxyJump option:
scp -o ProxyJump=user1#host1,user2#host2 file user2a#host2a:/filepath

Related

Copy files between two SSH clients diretctly

Our two SSH client only machines have access to another remote server with the same user account, and we want to copy files between the two clients over the wire. Can we configure this type of small local hub-spoke network to make the direct file transfer between the clients pass through the server transparently, and how?
For example, we have the hub-spoke network configuration below, where the hub is the SSH server, the spokes are SSH clients and the clients need copy files directly.
Node IP Client Server Port User Status
A 192.168.1.1 Y N N/A alice authenticated
B 192.168.1.2 Y N N/A bob authenticated
C 192.168.1.3 Y Y 22 shared authorized
$ alice#A: ssh-keygen
$ alice#A: ssh-copy-id shared#C
$ bob#B: ssh-keygen
$ bob#B: ssh-copy-id shared#C
Now, we can copy a file from alice#A to bob#B yet neither directly nor efficiently below.
$ alice#A: scp myfile shared#C:~
$ bob#B: scp shared#C:~/myfile .
However, we want to customize the network configuration not to firstly drop the file to shared#C but copy it from alice#A to bob#B directly.
#chepner proposed scp -3. I think that we have to change the hub-spoke network configuration fundamentally, i.e. the hub must act as SSH client, the spokes must run as SSH servers, then the servers can copy files directly through the transparent client proxy. Here's the example.
provided you can go from C to B, then the following should work:
in the ssh config file on A, define both B and C:
Host C
Hostname c-whatever.contoso.local
IdentityFile ~/.ssh/id_rsa
User charlie
ForwardAgent yes
Host B
Hostname b-whatever.contoso.local
IdentityFile ~/.ssh/id_rsa
User bob
ProxyJump C
ssh to B will proxy all traffic via C

VS Code jump-box setup with SSH keys

Establishing an SSH connection via a jump box
Hi everyone, I have been trying to set up my environment on VS Code to run my code from my Windows laptop on a remote Linux server (through my University department's proxy), by following this tutorial. It is working fine, but every time I connect to the host, I need to enter my password and would like to avoid this by configuring my SSH keys - it seems like I haven't found the proper way to do so.
Generating the keys
Let's call my local Windows machine local, the proxy host1 and the final endpoint host2. I created a private/public key pair on local, transferred the public key to host1 so that it is now in ~/.ssh/authorized_keys, and repeated the process by generating a new key pair on host1 and transferring the public key on host2. I followed the instructions here for generating and transferring the keys:
Generate key on local:
ssh-keygen -t rsa -b 4096
Transfer public key to host1:
$USER_AT_HOST="your-user-name-on-host#hostname"
$PUBKEYPATH="$HOME\.ssh\id_rsa.pub"
$pubKey=(Get-Content "$PUBKEYPATH" | Out-String); ssh "$USER_AT_HOST" "mkdir -p ~/.ssh && chmod 700 ~/.ssh && echo '${pubKey}' >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
Generate key on host1:
ssh-keygen -t rsa -b 4096
Transfer public key to host2:
export USER_AT_HOST="your-user-name-on-host#hostname"
export PUBKEYPATH="$HOME/.ssh/id_rsa.pub"
ssh-copy-id -i "$PUBKEYPATH" "$USER_AT_HOST"
VS Code config
I then edited my config file according to this, which now looks as follows:
Host host1
HostName host1
User me
ForwardX11 yes
IdentityFile C:\Users\Me\.ssh\id_rsa
Host host2
HostName host2
ProxyCommand C:\Windows\System32\OpenSSH\ssh.exe -q -W %h:%p host1
ForwardX11Trusted yes
User me
IdentityFile ~/.ssh/id_rsa
It seems that the first jump works fine (I don't need to enter my password twice) but I am still asked for it when establishing the connection. My guess is that I haven't configured the IdentityFile properly? When connecting through PowerShell in two steps (i.e. SSH into host1 and then host2), I don't need to enter my password. I would really appreciate any advice!
I've been stucking in the same situation.I tried a lot ,and finally managed to connect without password prompts. Below it's how I've done it, Hope it'll help.
Suppose I(machine A) want to connect to machine C via Machine B(JumpServer), generate keys using ssh-keygen on machine A, then copy the content of public key file(default as id_rsa.pub) to authorized keys file(default as authorized_keys in .ssh folder) of both machine B and machine C(or using ssh-copy-id if available). At last the IdentityFile field of both hosts of machine B and machine C in the config file(host1 and host2 in your case), fill them with ~/.ssh/id_rsa or C:\Users\your_user_name.ssh\id_rsa(the private key you generate on machine A ).
Finally it connects as expected.(I guess in this siutation but not for sure that the identity file in the local machine A is always the subject to connect, so machine B and machine C need to use the identity of machine A for all authorizations)
I met exactly the same situation, that is making this ssh connection: local (Windows) -> host1 (Linux) -> host2 (Linux)
The problem here is that for the second jump to host2, the ProxyCommand "ssh.exe -q -W %h:%p host1" actually looks for host2's IdentityFile "~/.ssh/id_rsa" on local. Because the keys you generated on host1 is different from the one on local, using the key on local would fail to make the second jump.
Solutions:
Simply use the same key for two jumps. Copy the id_rsa.pub on local to host2's authorized_keys.
Copy the key files on host1 to local, rename them and fill host2's IdentityFile with the path of the key file on local.
Referring to this question, modifying the ProxyCommand may enable ssh to use the key on host1 during the second jump. However, I haven't been able to make it work on my Windows local machine.

how to create a dynamic port forwarding with several hops?

If we have a following situation:
[laptop] ---- [host1] ---- [host2] ----[target]
where host1 is reachable from the my laptop machine, host2 from host1 and the target from host2 only. We have ssh credentials to both host1 and host2.
We can use the dynamic port forwarding with the following command:
ssh -N -D 127.0.0.1:8282 host1_account#host1
and that will basically create a SOCKS4 that we can use with proxychains so that command will work from the kali device:
proxychains ssh host2_account#host2
How we can make a similar (additional?) dynamic tunnel from host2 to target?
Make sure you're on OpenSSH 7.3 or later, and use SSH's ProxyJump feature: ssh -J host1_account#host1 -D 127.0.0.1:8282 host2_account#host2. That will give you an SSH session on host2, and 127.0.0.1:8282 will proxy traffic out through host2.

SSH and SCP two hops with different keys between hops

In the below:
HostA is workstation.
HostB is a jumpbox.
HostC is the target system.
I need to SSH and at times SCP files from HostA to HostC and I can only connect to HostC via HostB. Complicating matters is that the username and keypair for HostA -> HostB is different from HostB -> HostC and I do not have access to the keys on HostB. What is the proper way to set this up?
You want to use ProxyJump in ~/.ssh/config. Create the file if it doesn't exist. It should look something like this:
Host HostB
User bob
IdentityFile ~/.ssh/id_rsa.bob
HostName 1.2.3.4
DynamicForward 1028
Host HostC
User alice
IdentityFile ~/.ssh/id_alice
HostName 5.6.7.8
ProxyJump HostB
Now a ssh HostC or scp HostC will go through the jumpbox with the usernames and keys configured.

Rsync through bastion host using different port on destination server

I'm trying to run an rsync through a bastion host onto an SSH server that listens on a non-standard port, like this:
Source Host -> Bastion Host -> Destination Host (sshd on non-standard port)
I can get onto the destination host via the Bastion box using this:
ssh -o ProxyCommand="ssh -W %h:%p admin#bastion-host" user#destination-host
But this gets me onto the "default" SSH server, running on port 22, and not the one I want to get to, which, for sake of argument, is running on port 12345.
If I want to rsync using the non-standard port, the examples I can find, like this for example:
https://www.tecmint.com/sync-files-using-rsync-with-non-standard-ssh-port/
Indicate I should use -p, but that wouldn't work since I need port 22 all the way through the tunnel until the end.
How can I rsync to/from this destination server on port 12345, via a tunnel through the bastion server on the standard port 22?
Source Host (22) -> Bastion Host (22) -> Destination Host (12345)
Ah, I think I figured it out. My destination server was only allowing port 22 from the bastion host, and not the non-standard port.