I don't think ProxyCommand
can help you. It acts as an alternative for the raw TCP connection. To get the idea, see this answer where ProxyCommand
is not used for proxying. No matter what command you specify as ProxyCommand
while invoking ssh -L
or ssh -R
on compute_mine, one end of the tunnel will be compute_mine. And the command specified as ProxyCommand
is run locally, so if you in turn use ssh -L
or ssh -R
inside ProxyCommand
then one end of the tunnel will be compute_mine as well.
Similarly with ssh -J
all connections begin on the local computer, i.e. on compute_mine in your case. If ssh -J
is run on compute_mine, a port forwarding with -L
or -R
will involve compute_mine.
To forward a port from compute_remote_1 to compute_remote_2 not via compute_mine, you need an SSH connection that starts at compute_remote_1 or compute_remote_2.
From compute_mine you can do this:
# not an answer yet
ssh compute_remote_1 'ssh -NL 5678:localhost:1234 compute_remote_2'
The tunnel will be established by ssh -NL … compute_remote_2
started on compute_remote_1. The problem is this ssh
won't exit automatically when ssh
running on compute_mine is terminated.
A solution is to use ssh -tt
on compute_mine:
ssh -tt compute_remote_1 'exec ssh -NL 5678:localhost:1234 compute_remote_2'
(-t
is usually enough, but -tt
will do what we want even if there is no local terminal.)
This will allocate a tty on compute_remote_1 and start a shell as the controlling process of the tty. The shell will execute exec ssh …
an thus replace itself with ssh
. The point is we want ssh
to be the controlling process. Some shells exec
the last command automatically (an optimization, a sane behavior when there is nothing more to do), but it's better to exec
explicitly in case the shell on compute_remote_1 is not that smart.
The easiest way to terminate the port forwarding by acting on compute_mine is to type Ctrl+c it the terminal where our ssh -tt
runs (if such terminal exists). This won't directly kill ssh -tt
, ^C
will get to compute_remote_1 and the tty there will kill ssh -NL
(see this answer). Our local ssh -tt
will exit later.
ssh
on compute_mine may exit first for whatever reason, e.g. you may kill
it. If this happens and if sshd
on compute_remote_1 notices (depending on circumstances it may or may not notice immediately, see this answer), then the tty on compute_remote_1 will be closed and the controlling process will get SIGHUP. We made sure the controlling process is ssh
that handles the port forwarding, SIGHUP will terminate it. This way the port forwarding is automatically terminated when the ssh
process on compute_mine terminates.
It's up to you if you ssh -tt
from compute_mine to compute_remote_1 or to compute_remote_2; and if you use ssh -NL
or ssh -NR
there. The "target" of port forwarding does not have to be localhost
, so e.g. ssh -NL 5678:compute_remote_2:1234 compute_remote_3
on compute_remote_1 may make sense. Adjust the solution to your needs.
-J
instead, likessh -J remote_1 user@remote_2
from compute_mine? The banner exchange error you got looks like ssh choked on the banner from the server side - take a look through the troubleshooting steps here unix.stackexchange.com/q/656631/247007 to see if you can suppress it or get a more detailed error