Some environments require you to hop across one or more “bastion” hosts that are intended to keep anyone unauthorized from being able to access internal networks. This generally is a pain, but I ran across a useful workaround that makes it look like you are ssh-ing directly to the destination box, allowing things like scp, rsync over ssh, etc. all work without any extra fiddling.
In your .ssh/config file, make sure that you have the following:
Host * ForwardAgent yes This will allow you to leverage the same ssh key on the destination server as well as the bastion host, make sure you add your ssh key to the ssh-agent with ssh-add ssh-add ~/.ssh/id_dsa Then you can add an entry for your destination server: Host destination.server.com User plock ProxyCommand ssh bastion.host.com bin/netcat destination.server.com %p 2&gt; /dev/null
The ProxyCommand directive tells your local ssh client to connect to stdin and stdout of the ProxyCommand instead of opening a socket, the ProxyCommand uses netcat on the bastion to act as a proxy on the bastion host, connecting it’s stdin and stdout to the ssh process that connected to the destination server. So in effect, you are sshing to the destination server, and all other ssh features work normally like additional .ssh/config options and command line arguments.
You can even chain two together
Host ssh.bastion2.com User plock ProxyCommand ssh ssh.bastion1.com bin/netcat ssh.bastion2.com %p 2> /dev/null Host destination.server.com User plock ProxyCommand ssh ssh.bastion2.com /usr/bin/nc destination.server.com %p 2> /dev/null