rsync through multiple ssh hops with password authentication prompt

Matt McCutchen hashproduct at
Fri Oct 21 14:04:06 GMT 2005

On Thu, 2005-10-20 at 19:37 +0100, Manuel López-Ibáñez wrote:
> That technique of using a SSH tunnel through middle seems really nice. 
> Actually it is similar (I think even better because yours doesn't 
> require a rsync server) to the one described in the rsync FAQ [1] as 
> method 2.
> [1]

Here's an interesting variant of the tunneling technique:

	Host target
	ProxyCommand ssh middle nc %h %p

This tells SSH that, to connect to an SSHD on target, it is to first SSH
into middle and then connect to target from there using "nc".

You can then say "ssh target" or "rsync myfiles target:/some/path".  You
will be prompted for the middle password and then the target password.

Advantages of this approach:
(1) You don't need to remember to set up the port forwarding beforehand.
(2) No one can piggyback on your secure tunnel to target.

Possible disadvantage:
(3) If you want multiple connections to target at the same time, by
default, each will result in a new tunnel through middle.  But you can
get SSH to share connections using the ControlMaster option.

(4) When I try this technique, both password prompts say "Password:", so
when I enter the middle machine's password and get another prompt, it's
hard to tell whether I messed up and need to retype the first password
or the target machine is prompting me for the second password.  But the
output in your first message shows that your SSHes produce more
meaningful prompts, so this probably won't be an issue.
(5) In my testing, when I log out, I get a message "Killed by signal 1".
This is some artifact of the logging-out process that doesn't indicate
anything is wrong, but I would like to make it go away.

See if you like this better than the port forwarding version.
Matt McCutchen, ``hashproduct''
hashproduct at --

More information about the rsync mailing list