How to perform "double hop" via SFTP/SSH in .NET?

Question

In my scenario i am trying to go from Local App Server -> Middle Server (DMZ) -> Client Server

I need to move files from the Local App Server to the Client Server and back.

So my question is what is the most widely used standard for doing this?

I am currently using WinSCP to connect to the Middle Server via SFTP, and then invoking a command on the Middle Server to download and upload files to the Client Server. I'm not really a fan of this, as i feel like its prone to error as i am manually entering a command, rather than using the WinSCP's library to upload and download. It also leaves me stuck when i try to list all files on the Client Server with a command, as the function returns void

I have looked at SSH.NET which seems like its more widely used, however i cant see any real way of performing a "double hop" with that library either.

Martin Prikryl · Accepted Answer · 2019-06-03T09:04:39.130

1

With WinSCP .NET assembly, it's easy:

SessionOptions sessionOptions = new SessionOptions
{
    Protocol = Protocol.Sftp,
    HostName = "example.com",
    UserName = "username",
    Password = "password",
    SshHostKeyFingerprint = "ssh-rsa 2048 xxxxxxxxxxx...=",
};

sessionOptions.AddRawSettings("Tunnel", "1");
sessionOptions.AddRawSettings("TunnelHostName", "tunnel.example.com");
sessionOptions.AddRawSettings("TunnelUserName", "username");
sessionOptions.AddRawSettings("TunnelPasswordPlain", "password");
sessionOptions.AddRawSettings("TunnelHostKey", "ssh-rsa 2048 xxxxxxxxxxx...=");

using (Session session = new Session())
{
    session.Open(sessionOptions);

    // Your code
}

WinSCP GUI can generate a code template to connect through tunnel, like the one above, for you (except for the TunnelHostKey).

With SSH.NET you can implement a port forwarding explicitly by:

opening connection to the "Middle Server";
creating a forwarded port;
opening a second connection to the forwarded port.

For some example, see Connection to MySQL from .NET using SSH.NET Library.

Another hackish solution is to execute ssh on the "Middle Server" to facilitate the second "hop".

edited Jun 03 '19 at 09:04

answered Jan 17 '18 at 10:20

Martin Prikryl

167,268
50
405
846

Thanks for your help, so my understanding is that i create one instance of Session to connect from local to middle server. I then use the example above to create an instance of Session from middle server to client? Is that correct – teimaj Jan 17 '18 at 10:59
I assume you are referring to `Renci.SshNet.Session` (not `WinSCP.Session`). Your description of the second step is bit unclear, as there's no *"example above"* for that. – Martin Prikryl Jan 17 '18 at 11:03
Sorry, i meant `WinSCP.Session` when referring to `Session`. So i just create one `Session` when connecting from local server to client server? Apologies if my questions are a bit silly, i'm new to the whole idea of SFTP/SSH – teimaj Jan 17 '18 at 11:11
Yes, `WinSCP.Session` supports SSH tunneling natively, so the above code is all that you need -> Just one `Session` instance is needed. – Martin Prikryl Jan 17 '18 at 11:15
I think i understand now. So to download files from Client Server to Middle Server. I still have to do something like `session.InvokeCommand(someCommand)`? Or can i use actual functions like `session.GetFiles()`, by specifying the whole path including server name . Once again thanks for your patience – teimaj Jan 17 '18 at 11:29
Again, the tunneling is completely transparent. The rest of the code will be the same, as if you have connected directly. – Martin Prikryl Jan 17 '18 at 11:33
I finally just understood the whole purpose of tunnelling. Apologies for wasting your time with these comments lol – teimaj Jan 17 '18 at 13:16

How to perform "double hop" via SFTP/SSH in .NET?

1 Answers1