Ubuntu – How to SSH to machine A via B in one command

networkingremote accesssshtunnel

I want to access a computer, say machine A which is based in my university's network. However, this computer is only accessible via the internal network of the university, so I can not use SSH to this computer from home directly.

Here's what I do now:

  1. Log in to a different university machine, say machine B

    (This machine B is accessible via SSH from my home computer.)

  2. Use SSH on B to connect to A.

Is there a way to do that faster? Using only one ssh command.

Best Answer

Using ProxyCommand in your SSH config.

Create an SSH configuration file in your home directory (unless you want to make this system-wide), ~/.ssh/config:

Host unibroker          # Machine B definition (the broker)
Hostname    # Change this IP address to the address of the broker
User myusername         # Change this default user accordingly 
                        # (`user@unibroker` can overwrite it)

Host internalmachine    # Machine A definition (the target host)
ProxyCommand ssh -q unibroker nc hostname.or.IP.address.internal.machine 22

Now you can reach Machine A directly using

ssh user@internalmachine

Also note that now you have a single SSH host target name for it, you can use this in other applications as well. E.g.:

  • SCP to copy files.

    scp somefile user@internalmachine:~/
  • In your GUI applications:

    use sftp://user@internalmachine/ as the location to browse on the machine.

    KDE-based (Dolphin): use fish://user@internalmachine/


Change hostname.or.IP.address.internal.machine and the port (22) to the machine you like to reach as if you would from the unibroker machine.

Depending on netcat versions on the unibroker host, the -q0 option must be omitted. Regarding authentication; you're basically setting up two SSH connections from your workstation. This means both the unibroker host and the internalmachine host are verified/authenticated against one after another (for both keypair/password and host key verification).


This approach of the use of ProxyCommand and 'netcat' is just one way to do it. I like this, because my SSH client talks directly to the target machine so that I can verify the host key from my client and I can use my public key authentication without using another key on the broker.

Each Host defines the start of a new host section. Hostname is the target hostname or IP address of that host. User is what you would provide as the user part in ssh user@hostname.

ProxyCommand will be used as the pipe to the target machine. By using SSH to the first machine and directly setting up a simple 'netcat' (nc) to the target from there, this is basically just a plaintext forward to the internal machine from the broker between those. The -q options are to silence any output (just a personal preference).

Make sure you have netcat installed on the broker (usually available by default on Ubuntu) - either netcat-openbsd Install netcat-openbsd or netcat-traditional Install netcat-traditional.

Note that you're still using SSH with encryption twice here. While the netcat channel is plaintext, your SSH client on your PC will set up another encrypted channel with the final target machine.

Related Question