There are plenty of articles and documents on SSH tunneling so I won’t add any details on these for this post. The examples below are done on macOS Sierra.  There are other examples on the net of this process but this is what worked for me.


  • Machine A is the broker host the machine you have access to directly, i.e. your VPN or other policy allows you to directly access this machine.
  • Machine B is the Target host, the machine you cannot ssh to via your VPN or for other security reasons.  i.e. you can only access this machine once on Machine A.


Ensure to install “nmap-ncat.x86_64 2:6.40-7.el7″, via yum install nc on Machine A otherwise:

bash: nc: command not found

ssh_exchange_identification: Connection closed by remote host

Edit you ~/.ssh/config file and add the following entry:

If you see the following error in your config file remove the comments after the first “Host line”

ssh somehost

/Users/alinafe.matenda/.ssh/config line 525: garbage at end of line; “#theweb…”.

vi ~/.ssh/config

Host machinea         # machine a is the host you can access (the broker)
  Hostname xx.xx.xx.xx # Add machine a’s ip address
User oracle # The user with permission to accesss Machine B
Host tunneltob # Some meaningful name for your Target machine
ProxyCommand ssh -q machinea nc hostname.or.ipaddress.of.machineb 22

Optionally you can include the full directory path for nc if you recive a not found error.  On machine A, type “which nc”, may default to /bin/nc RHEL7 or /usr/bin/nc on macOS Sierra.

to get to the machine from your local host:


.ssh ssh machineb

ssh: Could not resolve hostname machineb: nodename nor servname provided, or not known


.ssh$ ssh tunneltob

The authenticity of host ‘tunnelqatob (<no hostip for proxy command>)’ can’t be established.
RSA key fingerprint is SHA256:…………UE.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘tunneltob’ (RSA) to the list of known hosts.
alinafe.matenda@tunneltob’s password:
Last login: Wed Apr 26 10:16:21 2017 from 10….xx.xx
[alinafe.matenda@hostb-yea ~]$ exit