How can I download a file from a host I can only SSH to through another host?
If you have a recent OpenSSH (8.0) locally, you can use the -J (jump) switch:
scp -J user@intermediate user@target:/path
With older versions (but at least 7.3), you can use ProxyJump directive, either on command-line:
scp -o ProxyJump=user@intermediate user@target:/path
or in ssh_config file, as the answer by @Ángel shows.
There are other options like ProxyCommand or port forwarding, which you can use on even older versions of OpenSSH. These are covered in Does OpenSSH support multihop login?
The previous answers mention how to use the ProxyJump directive (added in OpenSSH 7.3) to connect through an intermediate server (usually referred to as the bastion host), but mention it just as a command line argument.
Unless it is a machine you won't be connecting in the future, the best thing is that you configure it on ~/.ssh/config.
I would put a file like:
Host office-machine
Hostname yochay-machine.internal.company.local
ProxyJump bastion-machine
Host bastion-machine
Hostname organization-server.company.com
...
If you are using an earlier version of OpenSSH which doesn't support ProxyJump, you would replace it with the equivalent:
ProxyCommand ssh -W %h:%p bastion-machine
and if your local ssh version was a really ancient one that didn't support -W:
ssh bastion-machine nc %h %p
although this last one requires that the bastion machine has nc installed.
The beauty of ssh is that you can configure each destination on the file, and they will stack very nicely. Thus you end up working with office-machine as the hostname on all the tools (ssh, scp, sftp...) as they were direct connects, and they will figure out how to connect based in the ssh_config. You could also have wildcards like Host *.internal.company.local to make all hosts ending like that going through a specific bastion, and it will apply to all of them. Once configured correctly, the only difference between doing one hop connections or twenty would be the slower connection times.
Sometimes we can just use the pipeline. That time is today.
ssh -A user@host1 ssh user@host2 cat filename > filename
You can upload too
ssh -A user@host1 ssh user@host2 cat \\\> filename < filename
Yeah there are other solutions involving proxying, etc. but knowing how to do this is useful.