How do I do Multihop SCP transfers between machines?

You can add -o options to scp instead of .ssh/config.

scp -o ProxyCommand="ssh $jump_host nc $host 22" $local_path $host:$destination_path

$jump_host is your "server B" in this case.

Assuming OpenSSH, add to your SSH configuration in .ssh/config

Host distant
ProxyCommand ssh near nc distant 22

This will cause SSH to be able to connect "directly" to the machine named distant by proxying through the machine named near. It can then use applications like scp and sftp to the distant machine.

For this to work you need 'nc' aka netcat installed on the machine named near. But a lot of modern systems will have it already.

towo's tar solution is more effective for one-shot problems, assuming you've memorised tar's syntax and rules of operation.

With more recent versions of ssh on the server near (B) machine the following will work without netcat:

Host distant
    ProxyCommand ssh near -W distant:22

It will however require AllowTcpForwarding to be yes (the default) on the near (B) machine

edit: requires OpenSSH 5.4+ on B

You can ssh to server B using something like

ssh -L 5022:<server C IP>:22 <user_serverB>@<server B IP>

Then you can ssh to server C using

ssh -p 5022 <user_serverC>@localhost 

Similarly scp would work using

scp -P 5022 foo.txt <user_serverc>@localhost:

Remember to use correct case of p with scp and ssh

It's possible and relatively easy, even when you need to use certificates for authentication (typical in AWS environments).

The command below will copy files from a remotePath on server2 directly into your machine at localPath. Internally the scp request is proxied via server1.

scp -i user2-cert.pem -o ProxyCommand="ssh -i user1-cert.pem -W %h:%p user1@server1" user2@server2:/<remotePath> <localpath>

The other way around also works (upload file):

scp -i user2-cert.pem -o ProxyCommand="ssh -i user1-cert.pem -W %h:%p user1@server1" <localpath> user2@server2:/<remotePath>

If you use password authentication instead, try with

scp -o ProxyCommand="ssh -W %h:%p user1@server1" user2@server2:/<remotePath> <localpath>

If you use the same user credentials in both servers:

scp -o ProxyCommand="ssh -W %h:%p commonuser@server1" commonuser@server2:/<remotePath> <localpath>

The -W option is built into new(er) versions of OpenSSH, so this will only work on machines that have the minimum version (5.4, unless your distro back-ported any features; e.g., RHEL6 OpenSSH 5.3p1 includes this feature). Per the release notes: http://www.openssh.com/txt/release-5.4

Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers.

%h and %p are placeholders for the host and port.

This isn't scp (which OP requested), but I found it super simple to use rsync to copy from local to remote over a single hop with:

rsync -v -e 'ssh -A -t user@jumpserver ssh -A -t user@destinationserver' /path/to/sourcefile :/path/to/destination

Source: http://mjbright.blogspot.com/2012/09/using-rsync-over-multi-hop-ssh.html

I had tried the -o ProxyPass suggestion above and didn't want to change config for my changing needs. As the author in the link above states, the destination file preceding colon (:) is important to indicate the specified path is on the destination server. Also, using rsync, you have the options of date compare, folder sync, etc. I hope this helps someone!

If you want to be really wicked, you could chain ssh and tar, something like tar c mydir | ssh server "ssh otherserver | tar x", but this can run into all hands of problems.

The easier way would be just to set up an SSH tunnel with the built-in methods of SSH; look at the -D switch in the manpage and just forward some port to the other server's ssh port.

You can also do this in reverse and is maybe easier.

Supposing you have an ssh session opened with the machine you want to send the file to. This farthest-hop PC, we'll call this hop2. Your "proxy" host will be hop1. The PC that is file-origin, we'll call that origin.

origin:~/asdf.txt  --> hop1 --> hop2:~/asdf.txt

You can build tunnels making a local port available on a remote PC. We're thereby defining a port to open on the remote PC, which will be a redirect to the port you pulled over with you when you built the tunnel.

On hop2:

ssh -R 5555:127.0.0.1:22 <hop1_user>@<hop1_IP>
#this has the effect of building a tunnel from hop2 to hop1, making hop2's port 22 available on hop1 as port 5555

Now in that opened tunnel session, you can do the same from hop1 to file_origin.

On hop1:

ssh -R 6666:127.0.0.1:5555 <origin_user>@<origin_IP>
#this has the effect of building a tunnel from hop1 to origin while also pulling the active tunnel with it, making hop1's port 5555 (hop2's port 22) available on origin as port 6666.

You are now tunneled from hop2 to hop1 to origin. Coincidentally, now both port 5555 and 6666 are open on origin, which are redirects to hop2's port 22. Within this session, both of the following are valid scp routes to hop2:

On origin:

scp -P 6666 ~/asdf.txt <hop2_user>@<127.0.0.1>:~/asdf.txt

In this way, you can have some arbitrary number of hops in between, and it's easier to work with in terms of chaining together more than two hops.

Try adapring the following example openssh config for a setup that can be used for multiple hosts:

Host uat-*
     ProxyCommand ssh bastion-uat nc %h %p

This presumes a set of servers that begin with "uat-" that are only accessible via the jumpbox/gateway server "bastion-uat". You probably also want to add ForwardAgent yes if you are using a key to login.

scp -o 'ProxyJump jumpboxname' somefilename.txt finaldestinationhost:/tmp/.