Re: Chaining SSH tunnels?

From: Darren Tucker (
Date: 11/05/05

Date: 05 Nov 2005 00:30:18 GMT

On 2005-10-30, Arnoud "Galactus" Engelfriet <> wrote:
> Let's say I am on a machine called 'local', which is able to connect
> to 'middle1'. On 'middle1', I can connect to 'middle2' and from
> 'middle2' I can read my destination machine, 'dest'. I would like to
> establish a secure connection between 'local' and 'dest' such that
> there is no unencrypted traffic anywhere in between. Is this possible
> by chaining tunnels?
> This is what I tried to use:
> local$ ssh -L 2222:middle2:22 middle1
> local$ ssh -L 4444:dest:22 localhost -p 2222
> local$ ssh localhost -p 4444
> It does seem rather overkill, since there are now three levels
> of encryption between local and middle1. Is there a better way?

I prefer "stacking" connections rather than chaining them. If you have
netcat or similar on the middle machines, then in the client's
~/.ssh/config you put something like this:

Host middle2
        ProxyCommand ssh middle1 nc %h %p

Host dest
        ProxyCommand ssh middle2 nc %h %p

This still multiple-encrypts, but the connection is secured end to end
and you don't have to manage listening port numbers The pros and cons
of both approaches have been discussed here several times before, check
the group archives.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Relevant Pages