How to connect through a jump host in PuTTY

A jump host (bastion) provides controlled access to servers that are not reachable directly from the internet, such as internal machines on a private network or behind a firewall. Routing SSH through a jump host reduces exposure by limiting inbound access to a single hardened entry point while still enabling administration of protected targets.

When using PuTTY on Windows, a jump host can be used by running a local proxy command that first establishes an SSH connection to the jump host and then forwards a TCP stream to the destination server. PuTTY then performs the normal SSH handshake to the destination through that stream, preserving destination host key verification and end-to-end SSH encryption.

Jump host access must permit outbound connections to the destination and must allow forwarding (the SSH server may restrict direct-tcpip channels). First-time connections can prompt for host key acceptance for both the jump host and the destination, and accepting an unexpected fingerprint can enable a man-in-the-middle attack.

Steps to connect through a jump host in PuTTY:

Launch PuTTY on Windows.
Enter the destination server hostname and port on the Session screen.
Open the Connection → Proxy category.
Select Local in the Proxy type list.
Set the Proxy command to run Plink to the jump host using the jump host credentials.
```
"C:\Program Files\PuTTY\plink.exe" -ssh -P 22 -l jumpuser -i "C:\Users\username\Documents\keys\jump-host.ppk" jump.example.net -nc %host:%port
```
Keep %host and %port literal so PuTTY substitutes the destination from the Session screen.
Configure destination authentication under Connection → SSH → Auth when a destination .ppk key is required.
Save the session profile on the Session screen.
Start the connection by clicking Open.
Confirm the jump host fingerprint prompt in the Plink window when shown.

Accepting an unexpected jump host fingerprint can expose credentials and traffic metadata.
Complete the jump host authentication prompt in the Plink window when required.
Confirm the destination server fingerprint prompt in PuTTY when shown.

Related: How to update or delete PuTTY host key fingerprints on Windows
Log in to the destination server in the PuTTY terminal window.
Verify the session is on the destination server by checking the hostname.
```
$ hostname
target-server
```

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.