SCP via SSH tunnel works, then not, then works again

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Need a little help here... done as much reading and digging as I can,
but still stuck.

I am using SSH to perform local port forwarding from my local machine
(L) to a remote machine (RA) behind a firewall at a remote site
(legitimately :^)). The port forwarding is done through an account
(gwaccount) on a gateway machine (GW).

When I then try to establish a tunnel to another remote machine (RB) at
the remote site, I receive an error message indicating the remote host
identification has changed. When I switch the other end of the tunnel
back to remote host RA, the tunnel works again.

To be more specific:

1. I first establish an SSH agent on my end and load it with the
required identifying information, as follows (commands are in Korn

eval $(ssh-agent)

This works fine, as far as I can see.

2. Next, establish the tunnel using SSH:

ssh -f -N -L 2222:RA:22 gwaccount@GW

If I understand things correctly, this should establish a local
forwarding which maps local port 2222 to port 22 on remote host RA,
behind the remote firewall, by way of the account gwaccount on remote
gateway GW. OK so far.

3. Finally, copy the remote files through the tunnel using scp:

scp -P 2222 gwaccount@localhost:remote_filename local_filename

This works to remote host RA without a problem.

I then make sure all of the ssh-agent and ssh processes from steps 1-3
are dead.

4. When I change the tunnel in #2 to remote host RB:

ssh -f -N -L 2222:RB:22 gwaccount@GW

the verbose output from ssh indicates the port forwarding of local port
2222 to remote port 22 on RB was set up.

5. Finally, when I try to copy the same file from host RB:

scp -P 2222 gwaccount@localhost:remote_filename local_filename

the command fails, and I get error messages about the remote host
identification changing, and referring me to item 2 in the local
known_hosts file, which is 'localhost'.

6. Again nuking stray processes, and repeating steps 1-3, it works
again (copying from RA, that is).

I've checked the authorized_keys and known_hosts files in ~/.ssh on the
  gateway machine. The authorized_keys contains entries for my local
account on local host L, as well as the access information to remote
hosts RA amd RB (which are ostensibly identical, sharing the same
~/.ssh directory for the accounts on RA and RB). The known_hosts file
on GW contains entries for L, RA, and RB.

So where do I look next? Could there be some subtle configuration
difference between the remote machines? I can manually log in from GW
to both RA and RB without a problem, using ssh.

Any help would be greatly appreciated. And I'll gladly help you with
any physics/astronomy homework in return :^).

Eric Winter

Eric Winter (
Suzaku Guest Observer Facility, NASA Goddard Space Flight Center
Phone: (301) 286-2316   GSFC Building 6, Room S117
"Sweet are the uses of adversity;
 Which, like the toad, ugly and venomous,
 Wears yet a precious jewel in his head."
- Shakespeare, _As You Like It_, Act II, Scene I

Re: SCP via SSH tunnel works, then not, then works again

Quoted text here. Click to load it
Quoted text here. Click to load it

Add "-o HostKeyAlias=RA" to this.


Quoted text here. Click to load it

Add "-o HostKeyAlias=RB" to this.

Quoted text here. Click to load it

As far as ssh is concerned, "localhost:2222" is the same host both times
and it gets rather upset when it sees the host key has changed.

Quoted text here. Click to load it

I'll keep this in mind should I ever study either physics or astronomy :-)

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline