How to ssh to a server which I can not directly reach?

Solution 1:

You can use the following command to set up an SSH tunnel from the remote server to your local machine:

$ ssh -f -N -R 1234:localhost:22 [email protected]_machine_ip

When the tunnel is set up, you can simply ssh to your remote server using the following command:

$ ssh -p 1234 [email protected]

Please note that you need to set up ssh keys for automatic login (no password prompt). If you want to create the SSH tunnel interactively, you can remove the options -f -N. For more info, man ssh.

Solution 2:

If you are running a newer version of OpenSSH (7.3+) then you can use ProxyJump which bakes everything together magically:

ssh -J windows_machine remote_server

Which in your ~/.ssh/config looks like:

Host remote_server
        HostName remote_server
        ProxyJump windows_machine
        User myname

ProxyJump supports full SSH syntax, so if you are jim on windows_server and it uses port 2222 for ssh. remote_server is at IP from the windows_server then you can write:

Host remote_server
        ProxyJump [email protected]_machine:2222
        User myname

And still just run ssh remote_server to get there.

If you are running an older version of SSH, use ProxyCommand - this allows you to tell SSH to first run a command to establish a proxy connection, before running the actual SSH command.

ssh -o ProxyCommand='ssh -W %h:%p windows_machine' remote_server

This uses the SSH -W option, which is shorthand for the more arcane netcat syntax.

Note that, as when you run ssh remote_server you are now on the windows_machine you need to ensure that you use the IP of the remove_server from the jump box rather than the IP from your machine - these may well be the same.

You can then add this directive to your ~/.ssh/config file:

Host remote_server
  HostName remote_server
  User myname
  ProxyCommand ssh -W %h:%p windows_machine

This means that if remote_server is a different machine as seen from windows_machine then you can put that in the config and still just use ssh remote_server.