I usually don’t just repost other people’s posts, but this one really deserves some extra attention. It explains a very elegant way to hop using SSH.

In every network setup with some level of security, there are hosts that can’t be reached directly. Instead, you need to connect to some intermediate machine first, and hop further from there. If you have set up public key authentication, SSH can do all of this for you in the background, just add a few config lines to .ssh/config:

Host IP.or.fqdn.only.reachable.from.intermediate-host
ProxyCommand ssh intermediate-host nc %h %p

This will issue an SSH connection to intermediate host, launch a netcat process to realize the hop, and connect to your unreachable host. Obviously, netcat or similar is required on intermediate-host.


  1. Christophe Vandeplas says:

    You can also do “ssh -A imset.org ssh apeiron.fosdem.org”,
    but then you are not using a normal interactive terminal on the second host.

    So I’m looking into another way to get a terminal…

  2. Niobos says:

    SSH doesn’t allocate a PTY (pseudo-terminal) when executing a command. You can however force it to by adding a -t flag to the first SSH-command.

    This, however, doesn’t yield the exact same result as the ProxyCommand explained above, since you are using SSH on the intermediate host. This implies that you need to have agent-forwarding (the -A flag, as you already figured out), but also that port-forwardings (-L and -R) are done to/from the intermediate host instead of your local machine!