Nicolas, If i understand your request, fully... I'll give you some info for OpenSSH (which you could use via Cygwin on your windows client), but i don't know if PuTTY has similar capability. (clearly, you've discovered plink.exe can do similar things) (while this info may not apply directly to your problem, i figure it'll be of general interest) ---------------- Host bastion IdentityFile ~/.ssh/bastionkey User bastionuser Host target IdentityFile ~/.ssh/targetkey User targetuser ProxyCommand ssh bastion nc target 22 ---------------- If you have both keys on the client, a ssh target will "do the right thing(tm)" here by finding the target directive, indirectly resolving to a bastion connection using the bastion key, then piggy-backing on the established bastion connection's netcat link to the target and applying the target key. OpenSSH 5.5 or so has a builtin 'netcat' like facility using '-W target:port', i haven't started using that yet, as my normal systems (Debian Lenny) don't have that version. Here's some hackery i have in my ~/.ssh/config file: ----------------------- # Multi-(user+host) arbitrary gateway hopping # usera%hosta!userb%hostb[!userc%hostc...] # STILL requires using '-l userd' for destination user on command line (i.e. we ignore last # user in specification # e.g. ssh -l root sdowdy@zia!root@umds0-vgw Host *!* GatewayPorts no ProxyCommand $(h="%h";p="%p";ruh=${h##*\!};rh=${ruh##*\%%};ru=${ruh%%\%%*};ru=${ru:-${USER}};luh=${h%%\!*};lh=${luh##*\%%};lu=${luh%%\%%*};lu=${lu:-${USER}};echo ssh -l ${lu} ${lh} "\`type -p netcat nc | head -1\` ${rh} 22") # h=host, p=port (expanded by openssh cmdline # ruh,rh,ru=remote user+host, remote host, remote user (successively pulled off right-hand-side) # luh,lh,lu=local user+host, local host, local user (pulled off left-hand-side) # ----------------------- This directive allows you, if you use a Bourne-Shell/posix-shell to hop via an arbitrary number of [user@]host[!...] connections via iterative deconstruction of the target specified within openssh. If you have any required keys in your client ssh-agent, they'll be appropriately applied down the chain. (be careful of shell meta-character expansion of '!' -- I chose that after initially having chosen '::' as the gateway delimiterd (DECnet style poor-mans routing), and finding that while it worked for 'ssh', it DOESN'T work for scp. '!' works for both ssh and scp. You can use some other separator like "_", which isn't valid DNS. the \`type -p netcat nc | head -1\` is simply used to work on SLES and *ever other* linux distro, since SLES uses 'netcat' (nc on SLES is something else). That whole thing can be replaced with simply 'nc' if you don't need to deal with SLES. (and that's the primary requirement for a Bourne-alike shell. If i'm using the "bastion" (gateway) host frequently for multiple connections (i have a number of systems that have a backend RFC1918 network of compute nodes or data servers), i may use ControlMasters like: Host gw1-* gw2-* User blah NumberOfPasswordPrompts 1 ConnectTimeout 60 ControlMaster auto ControlPath ~/.ssh/%r@%h:%p.sock That way, i only authenticate once on the gateway host and use that ControlMaster connection as the piggyback for subsequent connections to that gateway and any hosts residing behind it. This is mainly useful on systems where i'm required to enter a password, instead of using authorized-key trust. --stephen -- Stephen Dowdy - Systems Administrator - NCAR/RAL 303.497.2869 - sdowdy@xxxxxxxx - http://www.ral.ucar.edu/~sdowdy/