Suppose we need to copy stuff via SSH from the remote host target to our local computer mybox, but a firewall blocks direct SSH access to target. We need to connect to the intermediate host inter first and then, we can connect to target from there.
The following diagram illustrates this problem. Green arrows between a pair of machines mean that establishing a SSH connection is possible in the indicated direction, red arrows mean it is not. (Note that the direction of connection establishment is not related to the direction in which we can later use the connection, of course: if you connect from A to B, you can of course copy stuff from B to A using the connection. Also, the green arrow in the diagram from target to inter is not required for the solution given here.).
This usually happens if you work in an environment where the local servers are in a separate network, protected from internal desktop PCs via a firewall. Only a single machine, in this case inter, is exposed to the LAN. (I needed to copy data from cluster client nodes to my local PC, but only the cluster head is directly reachable.)
I searched the internet for solutions, and a lot of those which showed up did not work for me: they gave connection denied errors or required software like netcat (nc) which was not present on the remote servers. Or they did not allow you to copy whole directories. Here is what I use:
user@mybox:~/target_data_dir/> ssh myuserA@inter 'ssh myuserB@target "cd /tmp/source_data_dir/; tar cj ."' | tar xj
This does not use any tunneling or other stuff and requires no special setup. What this does is connect to inter via ssh, then it issues the command
ssh myuserB@target "cd /tmp/source_data_dir/; tar cj ." there. This command connects to the host target and runs the command
cd /tmp/source_data_dir/; tar cj . there. This command creates a tar-bzip2 archive from the given directory and transfers it through the connection. The rest of the command line, the part
| tar xj is executed on mybox and unpacks the archive on the fly.
So we copied the whole directory, compressed and protected in the SSH connection, from the host target via inter to mybox.