How to connect through a jump host in PuTTY

A jump host (bastion) provides controlled access to servers that are not reachable directly from the internet, such as internal machines on a private network or behind a firewall. Routing SSH through a jump host reduces exposure by limiting inbound access to a single hardened entry point while still enabling administration of protected targets.

When using PuTTY on Windows, a jump host can be used by running a local proxy command that first establishes an SSH connection to the jump host and then forwards a TCP stream to the destination server. PuTTY then performs the normal SSH handshake to the destination through that stream, preserving destination host key verification and end-to-end SSH encryption.

Jump host access must permit outbound connections to the destination and must allow forwarding (the SSH server may restrict direct-tcpip channels). First-time connections can prompt for host key acceptance for both the jump host and the destination, and accepting an unexpected fingerprint can enable a man-in-the-middle attack.

Related: How to connect via proxy server in PuTTY
Related: How to use Plink for automated SSH commands

Steps to connect through a jump host in PuTTY:

  1. Launch PuTTY on Windows.
  2. Enter the destination server hostname and port on the Session screen.
  3. Open the ConnectionProxy category.
  4. Select Local in the Proxy type list.
  5. Set the Proxy command to run Plink to the jump host using the jump host credentials. 
    "C:\Program Files\PuTTY\plink.exe" -ssh -P 22 -l jumpuser -i "C:\Users\username\Documents\keys\jump-host.ppk" jump.example.net -nc %host:%port

    Keep %host and %port literal so PuTTY substitutes the destination from the Session screen.

  6. Configure destination authentication under ConnectionSSHAuth when a destination .ppk key is required.
  7. Save the session profile on the Session screen.
  8. Start the connection by clicking Open.
  9. Confirm the jump host fingerprint prompt in the Plink window when shown.

    Accepting an unexpected jump host fingerprint can expose credentials and traffic metadata.

  10. Complete the jump host authentication prompt in the Plink window when required.
  11. Confirm the destination server fingerprint prompt in PuTTY when shown.

    Related: How to update or delete PuTTY host key fingerprints on Windows

  12. Log in to the destination server in the PuTTY terminal window.
  13. Verify the session is on the destination server by checking the hostname. 
    $ hostname
target-server