Secure copy over two IPs on the same network to the local machine

Question

I am trying to write a bash script to ssh first into IP1(asks for a password) from my localhost machine and then ssh into IP2. Once in IP2 I want to scp to my local machine.

IP1=192.168.10.10
IP2=192.168.10.9

ssh root@$IP1
ssh root@$IP2

cd /var/log

scp message* localuser@$localIP:/home/localuser/Desktop/MessageFolder/

The above is what I currently have to do manually via the command line in Linux. I essentially copy from 192.168.10.9 to my local machine

I do not have direct access to IP2. Think of it as a backdoor. IP2 has a password, IP1 does not.

Is there any way to do this? I have more code written if this isn't helpful.

Can someone verify if I can do something similar to what was done for this solution: Scp over a proxy with one command from local machine?

I've also heard of port forwarding... How would that work with this example?

I'm very new to bash scripting and would appreciate some patience.

Answer 1

You can't start a script on one machine, then ssh into another machine and have the script continue there.

But you can execute a sequence of commands on a remote machine like this:

ssh -t root@IP1 'ssh root@IP2 scp /var/log/message*  <user>@<IP>:/home/localuser/Desktop/MessageFolder/; ls /var/log/message*'

This is saying ssh into IP1 and pass the remainder of the line as a command to run once logged in.

In quotes is the command to run, which is the ssh into the second IP, along with the command to run once logged in there.

Answer 2

So let me get this straight:

• localIP wants the files in /home/localuser/Desktop/MessageFolder/
• the files desired are on IP2 at /var/log/message*
• The only way to access IP2 is from IP1

You will need to look in to using ssh/scp with using keys instead of passwords such as described by https://wiki.archlinux.org/index.php/SSH_keys. I would also advise not using the root user for this basic operation.

Assuming those assumptions are correct, you can use SSH's tunneling ability so localIP machine can ssh/scp in to 127.0.0.1:SomeUnusedPort to get to IP2. The main tricky part will be to know when to disconnect localIP machine from IP1 machine.

This is a quick block of code to do what I'm thinking. Be aware, I've not tested this at all.

IP1=192.168.10.10
IP2=192.168.10.9
SomeUnusedPortOnLocalIP=2209

ssh -L $SomeUnusedPortOnLocalIP $IP2:22 root@$IP1 "while [ ! -f /tmp/disconLocalIP.now ]; do sleep 2; done; rm /tmp/disconLocalIP.now " &
# connects to IP1 establishing an ssh tunnel between localIP and IP2
# the loop testing for the existence of a file to let it know when to disconnect
# the & symbol lets the command run in the background and the script to continue with it still running

# wait for the connection to actually establish fully before proceeding.
sleep 10 

# connect to port tunnel on localIP to get files from IP2
scp -P $SomeUnusedPortOnLocalIP root@$127.0.0.1:/var/log/message* /home/localuser/Desktop/MessageFolder/
scp -P $SomeUnusedPortOnLocalIP root@$127.0.0.1:/var/log/log* /home/localuser/Desktop/OtherLogs/

# put file on IP1 to tell loop to end and exit previous ssh session
ssh root@$IP1 "touch /tmp/disconLocalIP.now"

Answer 3

SSH comes with support for that. I’ll quote answers from here:

according to the ssh man page, ProxyCommand is the correct method

the syntax being:

ProxyCommand ssh -W %h:%p user@jumphost 2> /dev/null

Or, on a sufficiently recent system:

As of OpenSSH 7.3 (late 2016) the easiest way is the ProxyJump setting. In your ~/.ssh/config:

Host B
  ProxyJump A

Or on the command line, , -J B.

The latter solution even supports arbitrarily deep chains, see the linked guide.

With SCP, you can’t use -J, so it’ll look like this:

scp -o "ProxyJump root@$IP1" root@$IP2:/var/log/message* /home/localuser/Desktop/MessageFolder/