Reputation: 25261
JSch multiple tunnels/jumphosts
I'm not sure if this is caused by using a private key instead of password for the port forwarding but here's what I'm trying to do
I need to forward local port 3308 all the way to the my SQL DB at 3306.
I can run things like this all together in terminal on my local
ssh -L 3308:localhost:3307 username@jumpbox "ssh -L 3307:mysqlDB:3306 username@server"
Or run the first part on my local and then the second part on the jumpbox. Both works fine and I can connect to my localhost:3308.
The problem comes when I start using JSch. Here is my code
JSch jsch = new JSch();
jsch.addIdentity("~/.ssh/id_rsa");
Session session = jsch.getSession("username", "jumpbox");
session.setConfig("StrictHostKeyChecking", "no");
session.connect();
int assinged_port = session.setPortForwardingL(3308, "localhost", 3307);
Session mysqlSession = jsch.getSession("username", "server", assinged_port);
mysqlSession.setConfig("StrictHostKeyChecking", "no");
mysqlSession.connect(); // Connection timed out here
mysqlSession.setPortForwardingL(3307, "mysqlDB", 3306);
The first connection is done but the second one timed out.
Exception in thread "main" com.jcraft.jsch.JSchException: java.net.ConnectException: Operation timed out (Connection timed out)
Am I doing something wrong here with JSch or port forwarding?
Upvotes: 7
Views: 3319
Answers (1)
Reputation: 202088
Your ssh command is making use of an SSH client (another ssh) running on "jump box".
When you want to implement the same using Java, you have two options:
Do the same in Java, i.e. use
sessionto runssh -L 3307:mysqlDB:3306 username@serveron the "jump box".See Executing a command using JSch.
Though, I do not think you should rely on
sshprogram for the second jump, for the same reason you use Java/JSch for the first jump (and notsshprogram).Avoid using a separate
sshtool, and instead open the other SSH session locally via yet another forwarded port. You can actually do the same using recent versions ofssh, with-J(jump) switch (supported since OpenSSH 7.3):ssh -L 3308:mysqlDB:3306 -J username@jumpbox username@serverSee also Does OpenSSH support multihop login?
I prefer this approach.
To implement the latter approach:
You have to forward some local port to
server:22, so that you can open SSH connection to theserver:JSch jsch = new JSch(); jsch.addIdentity("~/.ssh/id_rsa"); Session jumpboxSession = jsch.getSession("username", "jumpbox"); jumpboxSession.connect(); int serverSshPort = jumpboxSession.setPortForwardingL(0, "server", 22); Session serverSession = jsch.getSession("username", "localhost", serverSshPort); serverSession.connect();Then you forward another local port via
serverto MySQL port:int mysqlPort = serverSession.setPortForwardingL(0, "mysqlDB", 3306);Now you should be able to connect to
localhost:mysqlPortusing MySQL client.
Obligatory warning: Do not use StrictHostKeyChecking=no to blindly accept all host keys. That is a security flaw. You lose a protection against MITM attacks.
For a correct (and secure) approach, see:
How to resolve Java UnknownHostKey, while using JSch SFTP library?
Upvotes: 6
Related Questions
- Using JSch to create a SOCKS proxy tunneled through SSH
- How to use jsch with ProxyCommands for portforwarding
- SSH tunneling via JSch
- Jsch: HTTPS over tunnel
- Remote port forwarding using jsch?
- How to send and get data to/from SSH Tunnel in java (jsch )?
- Java: SSH tunneling - set local SOCKS as the listener
- Reverse Tunnel over JSCH (SSH) and HTTPS
- How to use JProfiler over two-hop SSH tunnel
- Jsch session Configuration