# ssh chaining, for ssh and scp

## 1clue

Hi,

I have my home network, which has Linux boxes -- several distros -- and a Mac.

I have a remote office behind a SOHO router.

The remote office has several Linux boxes and one of them has ssh exposed.  Edit: The reason these other boxes have not been exposed is for lack of open ports on the router.  They only have 20 rules on firewall, and they're all used.

I want to be able to start from home, and then ssh or scp (I want both, but not at the same time) to a non-exposed host inside the remote network using the exposed host.

Something like this:

```
ssh me@exposedhost 'ssh me@internalhost'
```

Only that doesn't work, because 'stdin is not a terminal.'

I've been using scp to get a file to the exposed host, and then scp again to get it to the internal host.  I'd like to be able to just go directly if I could figure out how to set up the command.  Likewise with an ssh session.

Any ideas?

----------

## papahuhn

ssh -t is your friend.

----------

## 1clue

That's awesome for ssh, I didn't think it would be so easy.

It still leaves the scp part though.

The source could be one of several boxes on my side, each behind a NAT router.  The remote public host is behind a nat router which has ssh directed to it.

Is there a reasonable way to handle this?  The -3 option doesn't work because of the NAT on my end.

Thanks.

----------

## Jaglover

You could redirect port 22 to different ports in router for different boxes, for instance port 23 has no use (on internet) and of course there is no limit if you go to higher ports. This way you could access all boxes directly, just by choosing the corresponding port.

----------

## szatox

You can use the one with exposed ssh as a stepping stone for the others. You know, make it forward your traffic for you  :Smile: 

----------

## 1clue

There is a limit of 20 port forwarding rules allowed on the SOHO router, and they're all used.  There is only one rule for ssh, no room for any others.

The idea of forwarding traffic is what I'm asking about.  The -t flag that papahuhn gave me is perfect for ssh, but I am also looking for an scp technique.

The remote network is not my network.  I have some control over it but not full control.

Thanks.

----------

## papahuhn

If there is "nc" or "netcat" on the exposed host, google suggests this:

```
scp -o ProxyCommand='ssh me@exposedhost nc internalhost 22' me@internalhost:/path/to/file.txt /path/to/dest/
```

----------

## 1clue

Sorry it took so long to get back.  This works very well, thanks for everything.

----------

## Hu

You may be able to use ssh -W internalhost:22 me@exposedhost instead of invoking an external netcat.

----------

