Problem:
- ssh-Agent (ssh -A) on hop-hosts can be hacked by root
- ssh chaining/nesting (ssh h1 'ssh h2 "ssh h3"')
  - temporary decrypts on h1 + h2 (clear data at all hops)
- no scp via nested ssh (ssh -t galileo ssh tina)

Solution ssh stacking (ssh -o ProxyCommand):
- SSH option ProxyCommand: 
  Instead of creating a TCP connection, SSH will communicate using the
  proxy program's standard input and output streams.

# minimal:
cat >> .ssh/config << EOF
Host dest
  ProxyCommand ssh userx@dest.example.com nc -w 1 %h %p
EOF
# since ssh-v5.3 nc can be replaced by option: -W %h:%p (untested, please give feedback)
# -w 1 timeout in seconds ???
# %h = hostname(dest[.example.com?])   %p = port(22)

# comfortable:
cat >> .ssh/config << EOF
Host *.example.com wall dest
  User userx
  Port 22
  IdentityFile ~/.ssh/id_firma
  ServerAliveInterval 240

Host dest
  HostName dest.example.com
  #ProxyCommand ssh wall socket -q %h %p
  ProxyCommand ssh userx@dest.example.com nc %h %p
  ## additional forward localhost:33306 to dest:3306
  # LocalForward 33306 localhost:3306

Host wall
  HostName wall.example.com
EOF

ssh -v dest
debug1: Reading configuration data /home/userx/.ssh/config
debug1: Applying options for dest
debug1: Applying options for *
debug1: Executing proxy command: exec ssh wall socket -q dest.example.com 22

localpc --- (ssh wall nc..) --- wall --- (nc bar 22) --- dest:22
       \                                                /
         ---- (ssh dest via stdin of ssh wall nc) -----

Useful for:
- scp dest:file .  # where dest is behind a firewall
- CVSROOT=dest && CVS_RSH=ssh
- further nesting
- ssh -X dest
- ssh -L3128:proxy.example.com:3128 dest

Advantage:
- more secure than chaining

Disadvantage:
- n-fold encryption load on one endpoint (no scaling with num hops)

Winscp:
 - Fill in the hostname and user name for the final destination host.
 - Check the "Advanced options" box in the login dialog.
 - Select the Connection - Tunnel page.
 - Check the "Connect through SSH tunnel" box.
 - Fill in the Host name and user name of the intermediate host.
 - first ask password belongs to the intermediate host

securing:
 - use SSH PubKeys/Identities, including the 'command=' option
   for intermediate hosts
   
Errors:
 - debug1: Next authentication method: password
   dest's password: 
   debug2: we sent a password packet, wait for reply
   Write failed: Broken pipe
  # if using option -w 5 for /usr/bin/nc (25864B) of CentOS 5.4

Solution ssh stacking (ssh port forwarding):
$ ssh -f wall -L 9999:dest:22 sleep +1d
$ ssh -o HostKeyAlias=dest localhost -p 9999

Disadvantage:
- need two (more complex) commands instead of one
- further ports (9999) needed for further connections

Other solutions:
 - ProxyCommand ssh {gw} 'exec 3<>/dev/tcp/{host}/22;(cat <&3 & );cat >&3'  -- 
 - when netcat is not installed on the gateway:
 ProxyCommand ssh {gw} 'exec 3<>/dev/tcp/{host}/22; cat <&3 & cat >&3;kill $!'
 (+close?: exec 3>&-;)

Sources:
[1] netcat (nc) 0.7.1 Jan2004 GPL
 088def25efe04dcdd1f8369d8926ab34  netcat-0.7.1.tar.gz
[2] Bulbous - Multihop SSH
[3] ssh_config manpage
[4] http://www.rschulz.eu/2008/09/ssh-proxycommand-without-netcat.html

Please give feedback if you want changes on this website.