Need help with multi-hop SSH tunnel using stacked connections

Posted on 2013-06-24
Last Modified: 2013-07-09
I have been able to figure out how to use SSH tunneling over more than one hope using only putty. So I can create 2 tunnels, one to an intermediate server and another to the final destination. So I can do this:


So then in my client (in this case pgAdmin), I simply connect on dbserver 50432. This works fine for our dev databases because they are only one hop away. For our production db it gets slightly more complicated because there is an additional hop. I tried something like this:

(I also tried no conflicting port numbers)

But connecting doesn't work. I am thinking I have to use some combination of "local" and "remote" connections or a proxy but I am not sure how. Please help!

Note I do not have direct SSH access to dbserver
Question by:skione
  • 4
  • 3
LVL 34

Expert Comment

by:Duncan Roe
ID: 39274303
You need to create the tunnel to the final server starting at the intermediate server (assuming only a 2-hop connection). For more hops, you need to create a tunnel between each pair of adjacent servers. Then you ssh to the first server and from there ssh to the second, and so on.

Author Comment

ID: 39274555
I get that. I believe my example illustrates that and I've tried many permutations.  I need a more concrete example. Also remember I don't have ssh access to the final server so I need to forward the port somehow.
LVL 34

Expert Comment

by:Duncan Roe
ID: 39274688
No ssh to to final server? Why not?

Author Comment

ID: 39274699
Does it really matter? Its s security policy. Least permissive and whatnot. So I can only access that server on the psql port (5432)
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

LVL 34

Expert Comment

by:Duncan Roe
ID: 39274781
Yes you did say. If you actually logged in to stage2, could you then run an app which could access the DB on the dbserver?
Are these SSL tunnels or SSH? either way it's bedtime for me. I'm pretty much out of ideas anyway - odd that your original setup didn't work really.

Author Comment

ID: 39274802
If I SSH from server1-> server2 then I PSQL to db server
LVL 34

Expert Comment

by:Duncan Roe
ID: 39276505
I'm not familiar with PSQL. Your setup sounds OK to me  - any other Experts???
LVL 23

Accepted Solution

Mysidia earned 500 total points
ID: 39283873
You need a SSH client  running on every server. If  you cannot  SSH connect to the dbserver using SSH,  then you cannot complete a SSH tunnel;  you  will  essentially be breaking out the traffic  into an unprotected form.

I want to make it clear that,  this is possible,  BUT it is insane, and the use of multiple tunnels is contrary to best practice, due to performance and security issues --   just because you can does not mean you should.
Port forwards and IPsec  are definitely more appropriate security transports for building complicated topologies.

And you could build an IPsec SA all the way to the database server,  and not stop short of securing the connection end-to-end....

- Beyond 2 hops away, you will have to run a SSH client or PuTTy  on each remote server.
To accomplish
   50432:dbserver:5432   50432:stage2:50432    50432:stage1:50432
This cannot all be done on one computer.

You can SSH into stage0  from PuTTy with     50432:stage1:50432
Then you need
  stage0#  ssh -l user stage1 -R 50432:stage1:50432 -g

To cause stage0  to open up local port 50432 and forward it to stage1 50432

Once you've SSH'd into stage1, you essentially need a SSH session from stage1 to stage2.
so in that SSH terminal you could type

 stage1#  ssh -l user   stage2  -R 50432:dbserver:5432 -g

To chain a second session..

to cause stage2 to listen on local port 50432 and forward to  dbserver:5432

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Secure Shell (SSH) is a network protocol for secure data communication, mainly used to administer remote Unix / Linux servers via command line. But it also allows the user to open a secure tunnel between a client and a server where he can send any k…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now