24

I'm trying to copy a file from one remote server to another remote server from my local machine. Here's what I'm trying to do

localA $ scp userB@remoteB:/path/to/file userC@remoteC:/path

The problem is that I need to pass two passwords for both userB and userC on the remote machines.

According to Garron the above should work, but I got permission denied.

Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).
lost connection

Any suggestions?

Alan
  • 1,479
  • 3
  • 20
  • 36

6 Answers6

42

If you can ssh to both remote servers from your local (local -> remote1 & local -> remote2), then you could try:

ssh -A -t user1@remote1 scp srcpath user2@remote2:destpath

This will transfer straight from remote1 to remote2 using your local credentials all the way.

If you do not want to be asked for passwords, then you should set up the authorized_keys file on remotes.

RubenCaro
  • 1,419
  • 14
  • 12
  • Thanks Ruben, using keys is the most secure option of them both, according to the majority of most experienced ssh users I've seen so far. – Alan May 16 '16 at 10:49
  • 3
    A note to this is that since this will connect *directly* from remote1 to remote2, then it is not enough to be able so ssh to remote2 from your local, you need to check that you can ssh from remote1 to remote2 (e.g. the names and configuration in your ~/.ssh/config on remote1) – Peteris Aug 04 '16 at 08:21
  • 2
    The best solution I've seen so far. You don't have to authorize servers to `ssh` to one another, all you need is an access to both of them with your key. And unlike `scp -3`, data is copied directly between servers, possibly through a very fast local network. – Leonid Beschastny Nov 11 '16 at 21:27
  • 2
    @LeonidBeschastny You are doing guesswork, and is not appreciated. you will have to have multiple keyfiles (if you choose to), and will lessen the security that way, You might not have the servers on the same network. and the question was not how do i connect to one remote and transfer to another. it was how do i do remote to remote transfers via scp. – KatsuoRyuu Dec 01 '16 at 02:43
  • @KatsuoRyuu I must disagree. OP asked how to copy data between two remote servers from the third machine, but he didn't specify that data must be proxied through this third machine, so the answer is valid. And there is no need for both remote servers to be in the same local network. For most cases this answer will provide the same functionality as `scp -3`, but it will copy data directly between two remote servers (without proxying it through the third machine). So I think this answer is the most useful one. – Leonid Beschastny Dec 01 '16 at 09:22
  • @KatsuoRyuu and I'm not sure I've got your remark about lessening the security right. Both methods should work fine with any authorization method (passwords or keyfiles). Using keyfiles is a more secure way, but I can't see how it's related to those answers. Or do you mean that `ssh -A` have serious security vulnerabilities? – Leonid Beschastny Dec 01 '16 at 09:57
  • The more certs you have in flow the less security you have, simple math really. I was working today searching for the exact same, the result you market does not work in my case, since you have to login from one server to another server, this means this method here would force me to open extra holes in my firewall, which in my case in very unacceptable. The question is very specific, remote to remote. – KatsuoRyuu Dec 01 '16 at 10:41
  • @KatsuoRyuu if you can connect to both servers from your machine then they already allow inbound connections on 22 post (or whichever you use). The only thing that could be possibly closed in the firewall is an outbound ssh connection. – Leonid Beschastny Dec 01 '16 at 14:07
  • 1
    Exactly, the connection only allows a encrypted system to access, from only one IP, and a specific Mac address. So opening, for another IP doubles the risk. – KatsuoRyuu Dec 01 '16 at 14:11
  • 2
    @RubenCaro: Thanks for sharing but it doesn't work for me. Error: `Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). lost connection` – Tung Nov 07 '17 at 20:09
  • 2
    This is a wrong answer. The command will work only if the ssh pub key of user1@remote1 is installed in the authorized_keys of user2@remote2. The local credentials will not be used in scp. – sanigo Sep 11 '18 at 06:24
37

This questions already exists on Superuser:

https://superuser.com/questions/686394/scp-between-two-remote-hosts-from-my-third-pc

scp -3 user1@remote1:/home/user1/file1.txt user2@remote2:/home/user2/file1.txt

As described there -3 option instructs scp to route traffic through the PC on which the command is issued.

The above is true if remote1 and remote2 are on the same network.

In case not:- You have to use port forwarding

Himadri Mandal
  • 325
  • 2
  • 11
  • Does't adding -3 to route traffic thru local host really slow things down if the localhost has a slow connection? – wcochran Aug 11 '17 at 23:00
  • @wcochran Yes, it does. But it's easy to have it work in all cases. I wonder if there's a generalizable way to set up a direct SSH connection between two remote hosts in a way that doesn't expose any secrets to either. – sudo Jan 24 '18 at 03:03
  • NOT WORKING....error Permission denied (publickey) for destination............scp -3 -i ~/.ec2/${3} ubuntu@${1}:~/auto_dump/backup_${orgin}_${timestamp}.dump -i ~/.ec2/${4} ubuntu@${2}:~/auto_dump/ – Ebin Joy Dec 21 '18 at 19:24
6

This is possible using the following command line in linux terminal :

scp -3 user1@ip:path/from/directory/ user2@ip:path/to/directory

a prompt will appear asking for passwords like this:

user1@ip's password: user2@ip's password:

If you give both passwords in order by pressing enter after the first password, it should accept but it wont. Even if you give both passwords again in order but by not pressing enter after the first password, it wont accept again.

You have to give user2's first, then press enter and then type user1's password and press enter. This will work.

I know it doesn't sounds right, but only this will work. This is a bug in scp.

darecoder
  • 1,478
  • 2
  • 14
  • 29
  • is it possible to create a shell script with password also stored inside? – sjd Feb 01 '18 at 07:17
  • depends! What is your objective? You want to do scp or ssh? – darecoder Feb 08 '18 at 10:01
  • On my Ubuntu 18.04 terminal, the first-typed password (for user2) is not echoed, _but_, the second-typed password (for user1) appears in plain text! – studog Aug 15 '19 at 20:53
2

I find -o "ForwardAgent yes” does the trick:

localA $ scp -o "ForwardAgent yes” userB@remoteB:/path/to/file userC@remoteC:/path

I like this better than the -3 since I don't want a middle machine slowing things down. I like @RubenCaro answer too, but this seems more direct.

wcochran
  • 10,089
  • 6
  • 61
  • 69
  • 1
    It doesn't work for me. Error: `Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). lost connection`. Any clue? Thanks! – Tung Nov 07 '17 at 20:35
  • Works for me (using a private key): scp -o 'ForwardAgent yes' -i localkey.pem userB@remoteB:/path/to/file userC@remoteC:/path . – brunesto Mar 05 '18 at 15:59
1

You only need passwords if you don't have entries in the authorised_keys file. Once you have logged in to the 2 servers (localA -> remoteB & remoteB -> remoteC) and established the secure connection your original command should work.

DS.
  • 604
  • 2
  • 6
  • 24
  • Hi there, I still can't do it due to the fact that I'm using clearcase, I believe. But your tip is great. authorised_keys combined with ~/.ssh/config and and aliases are much faster. Thanks – Alan Mar 04 '15 at 14:56
1

The existing answers assume you can ssh back to the local machine from the remote machines. That's not always possible. In such case, you can use a jump host mechanism. It's actually more efficient anyway.

If you have a recent OpenSSH (8.0), you can use the -J (jump) switch:

scp -J user@intermediate user@target:/path

With older versions (but at least 7.3), you can use ProxyJump directive, either on command-line:

scp -o ProxyJump=user@intermediate user@target:/path

or in ssh_config file.

There are other options like ProxyCommand or port forwarding, which you can use on even older versions of OpenSSH. These are covered in Does OpenSSH support multihop login?

Martin Prikryl
  • 188,800
  • 56
  • 490
  • 992