Need help with multi-hop SSH tunnel using stacked connections

Posted on 2013-06-24
Medium Priority
Last Modified: 2013-07-09
I have been able to figure out how to use SSH tunneling over more than one hope using only putty. So I can create 2 tunnels, one to an intermediate server and another to the final destination. So I can do this:


So then in my client (in this case pgAdmin), I simply connect on dbserver 50432. This works fine for our dev databases because they are only one hop away. For our production db it gets slightly more complicated because there is an additional hop. I tried something like this:

(I also tried no conflicting port numbers)

But connecting doesn't work. I am thinking I have to use some combination of "local" and "remote" connections or a proxy but I am not sure how. Please help!

Note I do not have direct SSH access to dbserver
Question by:skione
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 35

Expert Comment

by:Duncan Roe
ID: 39274303
You need to create the tunnel to the final server starting at the intermediate server (assuming only a 2-hop connection). For more hops, you need to create a tunnel between each pair of adjacent servers. Then you ssh to the first server and from there ssh to the second, and so on.

Author Comment

ID: 39274555
I get that. I believe my example illustrates that and I've tried many permutations.  I need a more concrete example. Also remember I don't have ssh access to the final server so I need to forward the port somehow.
LVL 35

Expert Comment

by:Duncan Roe
ID: 39274688
No ssh to to final server? Why not?
Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.


Author Comment

ID: 39274699
Does it really matter? Its s security policy. Least permissive and whatnot. So I can only access that server on the psql port (5432)
LVL 35

Expert Comment

by:Duncan Roe
ID: 39274781
Yes you did say. If you actually logged in to stage2, could you then run an app which could access the DB on the dbserver?
Are these SSL tunnels or SSH? either way it's bedtime for me. I'm pretty much out of ideas anyway - odd that your original setup didn't work really.

Author Comment

ID: 39274802
If I SSH from server1-> server2 then I PSQL to db server
LVL 35

Expert Comment

by:Duncan Roe
ID: 39276505
I'm not familiar with PSQL. Your setup sounds OK to me  - any other Experts???
LVL 23

Accepted Solution

Mysidia earned 2000 total points
ID: 39283873
You need a SSH client  running on every server. If  you cannot  SSH connect to the dbserver using SSH,  then you cannot complete a SSH tunnel;  you  will  essentially be breaking out the traffic  into an unprotected form.

I want to make it clear that,  this is possible,  BUT it is insane, and the use of multiple tunnels is contrary to best practice, due to performance and security issues --   just because you can does not mean you should.
Port forwards and IPsec  are definitely more appropriate security transports for building complicated topologies.

And you could build an IPsec SA all the way to the database server,  and not stop short of securing the connection end-to-end....

- Beyond 2 hops away, you will have to run a SSH client or PuTTy  on each remote server.
To accomplish
   50432:dbserver:5432   50432:stage2:50432    50432:stage1:50432
This cannot all be done on one computer.

You can SSH into stage0  from PuTTy with     50432:stage1:50432
Then you need
  stage0#  ssh -l user stage1 -R 50432:stage1:50432 -g

To cause stage0  to open up local port 50432 and forward it to stage1 50432

Once you've SSH'd into stage1, you essentially need a SSH session from stage1 to stage2.
so in that SSH terminal you could type

 stage1#  ssh -l user   stage2  -R 50432:dbserver:5432 -g

To chain a second session..

to cause stage2 to listen on local port 50432 and forward to  dbserver:5432

Featured Post

Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The purpose of this article is to demonstrate how we can use conditional statements using Python.
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month8 days, 6 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question