A jump host, also known as a bastion host, is a server that acts as a bridge to access other servers in a private network. It serves as a secure gateway, allowing controlled access to internal hosts. When connecting to servers within a private network, you must first connect to the jump host before accessing the internal servers.
Connecting through a jump host can add complexity to the client-side configuration. To simplify the process, the SSH protocol provides the ProxyJump option. This option allows you to automate the connection through the jump server to the final destination, reducing the need for multiple manual logins.
The use of ProxyJump with public key authentication enhances security and convenience. This method is particularly useful for system administrators who need to access multiple hosts within a private network. Proper configuration of ProxyJump ensures secure and efficient access to internal servers.
Steps to SSH to remote hosts via a jump server:
- Open a terminal on your local machine.
- Ensure you can manually log in to each host from the jump host.
user@host:~$ ssh user@gateway user@gateway's password: user@gateway:~$ ssh user@internal user@internal's password: user@internal:~$ exit logout Connection to internal closed. user@gateway:~$ exit logout Connection to gateway closed. user@host:~$
- Use the ProxyJump option to connect to the internal host through the jump host.
user@host:~$ ssh -J user@gateway user@internal user@gateway's password: user@internal's password: user@internal:~$ exit logout Connection to internal closed. user@host:~$
Use comma-separated value for jump hosts if multiple jump connection is required
$ ssh -J user@gateway,user@gateway2 user@internal
Add : to hostname / IP address to specify port if non-standard is used for SSH server.
$ ssh -J user@gateway:2222 user@internal
-J destination Connect to the target host by first making a ssh connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate destination from there. Multiple jump hops may be specified separated by comma characters. This is a shortcut to specify a ProxyJump configuration directive. Note that configuration directives supplied on the command-line generally apply to the destination host and not any specified jump hosts. Use ~/.ssh/config to specify configuration for jump hosts.
Configure AllowAgentForwarding and AllowTcpForwarding to yes on the jump server if you're using SSH agent or public key authentication.
- Open the SSH user config file in a text editor.
$ vi ~/.ssh/config
- Add the jump host login information to the config file.
Host gateway hostname 192.168.111.27 user user
- Add the internal server information and the ProxyJump configuration.
host internal hostname 192.168.111.38 user user proxyjump gateway
- Save the configuration and connect directly to the internal server using the new setup.
$ ssh internal user@192.168.111.27's password: user@192.168.111.38's password: user@internal:~$
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.