Need help with multi-hop SSH tunnel using stacked connections

Posted on 2013-06-24
Last Modified: 2013-07-09
I have been able to figure out how to use SSH tunneling over more than one hope using only putty. So I can create 2 tunnels, one to an intermediate server and another to the final destination. So I can do this:


So then in my client (in this case pgAdmin), I simply connect on dbserver 50432. This works fine for our dev databases because they are only one hop away. For our production db it gets slightly more complicated because there is an additional hop. I tried something like this:

(I also tried no conflicting port numbers)

But connecting doesn't work. I am thinking I have to use some combination of "local" and "remote" connections or a proxy but I am not sure how. Please help!

Note I do not have direct SSH access to dbserver
Question by:skione
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
LVL 34

Expert Comment

by:Duncan Roe
ID: 39274303
You need to create the tunnel to the final server starting at the intermediate server (assuming only a 2-hop connection). For more hops, you need to create a tunnel between each pair of adjacent servers. Then you ssh to the first server and from there ssh to the second, and so on.

Author Comment

ID: 39274555
I get that. I believe my example illustrates that and I've tried many permutations.  I need a more concrete example. Also remember I don't have ssh access to the final server so I need to forward the port somehow.
LVL 34

Expert Comment

by:Duncan Roe
ID: 39274688
No ssh to to final server? Why not?
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.


Author Comment

ID: 39274699
Does it really matter? Its s security policy. Least permissive and whatnot. So I can only access that server on the psql port (5432)
LVL 34

Expert Comment

by:Duncan Roe
ID: 39274781
Yes you did say. If you actually logged in to stage2, could you then run an app which could access the DB on the dbserver?
Are these SSL tunnels or SSH? either way it's bedtime for me. I'm pretty much out of ideas anyway - odd that your original setup didn't work really.

Author Comment

ID: 39274802
If I SSH from server1-> server2 then I PSQL to db server
LVL 34

Expert Comment

by:Duncan Roe
ID: 39276505
I'm not familiar with PSQL. Your setup sounds OK to me  - any other Experts???
LVL 23

Accepted Solution

Mysidia earned 500 total points
ID: 39283873
You need a SSH client  running on every server. If  you cannot  SSH connect to the dbserver using SSH,  then you cannot complete a SSH tunnel;  you  will  essentially be breaking out the traffic  into an unprotected form.

I want to make it clear that,  this is possible,  BUT it is insane, and the use of multiple tunnels is contrary to best practice, due to performance and security issues --   just because you can does not mean you should.
Port forwards and IPsec  are definitely more appropriate security transports for building complicated topologies.

And you could build an IPsec SA all the way to the database server,  and not stop short of securing the connection end-to-end....

- Beyond 2 hops away, you will have to run a SSH client or PuTTy  on each remote server.
To accomplish
   50432:dbserver:5432   50432:stage2:50432    50432:stage1:50432
This cannot all be done on one computer.

You can SSH into stage0  from PuTTy with     50432:stage1:50432
Then you need
  stage0#  ssh -l user stage1 -R 50432:stage1:50432 -g

To cause stage0  to open up local port 50432 and forward it to stage1 50432

Once you've SSH'd into stage1, you essentially need a SSH session from stage1 to stage2.
so in that SSH terminal you could type

 stage1#  ssh -l user   stage2  -R 50432:dbserver:5432 -g

To chain a second session..

to cause stage2 to listen on local port 50432 and forward to  dbserver:5432

Featured Post

Monthly Recap

May was a big month for new releases from Linux Academy! Take a look at what our team built recently in our blog. You can access the newest releases from our blog.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question