4 ways to SSH & SCP via proxy (jump) server in Linux

In SCP | Tags: #scp, #SSH
4 ways to SSH & SCP via proxy (jump) server in Linux

In this tutorial we will learn how to SSH or SCP through a proxy server (jump host). We all know that when we are communicating over a proxy or a jump server, the privacy is always important. While here we are focusing more on the SSH and SCP protocol but if users are relying on browsers or web based SSH terminals then they might still expose their digital fingerprints. In such cases then users can use an antidetect browser which can help mask the browser fingerprints and it will also enhance anonymity when we are working behind the proxy servers.

SCP through a proxy server

Method-1: Using scp with ProxyJump

With openssh package version 7.4p1-11 or later, we can use ProxyJump option to transfer files using a proxy server. The syntax of the scp command to transfer files via proxy is :

~]# scp -o "ProxyJump <User>@<Proxy-Server>" <File-Name> <User>@<Destination-Server>:<Destination-Path>

For example :

~]# scp -o "ProxyJump user@10.23.100.70" dataFile.txt  user@192.168.10.100:/tmp
user@10.23.100.70's password: 
user@192.168.10.100's password: 
dataFile.txt                                                                                     100%    5     0.0KB/s   00:00

Here my proxy server is 10.23.100.70 while the destination server is 192.168.10.100

Method-2: Using scp with ProxyCommand

SCP uses ssh as the underlying protocol and hence we can use the ssh options along with the scp commands. The syntax to use ProxyCommand option with scp command is:

~]# scp -o "ProxyCommand ssh <user>@<Proxy-Server> nc %h %p" <File-Name> <User@<Destination-Server>:<Destination-Path>

Where:

  • %h will be substituted by the host name to connect
  • %p will be substituted by the port
NOTE

While using the ProxyCommand option , ensure that nmap-ncat package is installed on the proxy server that provides the nc command, otherwise the following error message will be displayed.

bash: nc: command not found
ssh_exchange_identification: Connection closed by remote host
lost connection

For example:

~]# scp -o "ProxyCommand ssh user@10.23.100.70 nc %h %p" dataFile.txt  root@192.168.10.100:/tmp
user@10.23.100.70's password: 
root@192.168.10.100's password: 
dataFile.txt                                                                                     100%    5     0.0KB/s   00:00

Here my proxy server is 10.23.100.70 while the destination server is 192.168.10.100

SSH through a proxy server

Method-1: Pass ProxyCommand using ssh options

We can again use ProxyCommand to ssh another server using proxy server. The syntax to SSH via proxy would be:

~]# ssh -o "ProxyCommand ssh user_name_on_proxy@hostname_or_IP_of_proxy nc %h %p" user_name_on_server@hostname_or_IP_of_server

Example: To login as root on 192.168.10.100 via the proxy at 10.23.100.70 with login credentials on the proxy for proxy_user

~]# ssh -o "ProxyCommand ssh proxy_user@10.23.100.70 nc %h %p" root@192.168.10.100
proxy_user@10.23.100.70's password: 
root@192.168.10.100's password: 
Last login: Tue Dec 24 10:40:33 2019 from 10.23.100.70

~]# ip a l | grep eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    inet 192.168.10.100/24 brd 192.168.1.255 scope global eth0

If the proxy server does not have the nc command installed or you do not have login credentials for the proxy server but the proxy server is running a proxy service like squid which will accept SSH connections you can use the following command. Note that this method requires that you have the nc command installed on the local/client system.

~]# ssh -o "ProxyCommand nc --proxy hostname_or_IP_of_proxy:proxy_service_port --proxy-type http %h %p" user_name_on_server@hostname_or_IP_of_server

For example, to login as root on 192.168.10.100 via the proxy service listening on port 3128 at 10.23.100.70. The proxy service does not require any credentials.

~]# ssh -o "ProxyCommand nc --proxy 10.23.100.70:3128 --proxy-type http %h %p" root@192.168.10.100
root@192.168.10.100's password: 
Last login: Tue Dec 24 10:40:46 2019 from 10.23.100.70

~]# ip a l | grep eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    inet 192.168.10.100/24 brd 192.168.1.255 scope global eth0

Method-2: Using ssh client configuration file

We had discussed in the depth about SSH client configuration file. So instead of providing all the options as input arguments to SSH, we can also use SSH client configuration file.

Edit the ~/.ssh/config file per the below:

# vim ~/.ssh/config 
...
Host <nickname>
HostName <hostname_of_server>
User <user_on_server>
ProxyCommand ssh <user_on_server>@<proxy_server> nc %h %p
NOTE
If there is already content in this file you will need to append the above to the end.

Here,

  • <nickname> : Sets nickname for the target server
  • <hostname_of_sever> : Sets the real remote server/host name
  • <user_on_server> : Real user who exists on target server
  • <proxy_server>: IP or the hostname` of the proxy server
  • %h will be substituted by the host name to connect
  • %p will be substituted by the port

Next you can SSH with additional verbose option to verify the configuration

~]# ssh -vvv <target_server>

Conclusion

In this tutorial we learned about different methods to SSH a Linux box using another proxy server or to transfer files using SCP via another proxy server or jump host. You can use either ProxyCommand or ProxyJump with ssh and scp respectively to ssh through any proxy service such as squid or any other proxy server.

Deepak Prasad

Deepak Prasad

R&D Engineer

Founder of GoLinuxCloud with over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels across development, DevOps, networking, and security, delivering robust and efficient solutions for diverse projects.

View all posts →

Related Articles