The use of bastion host or jump server allows for easier security management as hosts that are not public-facing does not need to be secured as much as the public-facing host. If you need to SSH to the hosts within the private network however, you will need to first SSH to the bastion host or jump server and SSH to the other host from there.

This adds complexity to the client side as you will need to first log in to the bastion host or jump server whic acts as a gateway before you can SSH to the desired host.

Some of the ways access the internal network are to set up a VPN or proxy on the gateway and to configure the client connection accordingly.

If the gateway host is an SSH server however, you can use the built in ProxyJump option which will automate logging in to multiple hosts to reach the end destination. This option if paired with public key authentication method could be a lifesaver for system administrators.

Steps to SSH to remote hosts through an SSH gateway:

  1. Launch terminal.
  2. Manually log in to each hosts from one another to make sure it's reachable.
    [email protected]:~$ ssh [email protected]
    [email protected]'s password: 
    [email protected]:~$ ssh [email protected]
    [email protected]'s password: 
    [email protected]:~$ exit
    logout
    Connection to internal closed.
    [email protected]:~$ exit
    logout
    Connection to gateway closed.
    [email protected]:~$ 
  3. Connect to internal host using -J option.
    [email protected]:~$ ssh -J [email protected] [email protected]
    [email protected]'s password: 
    [email protected]'s password: 
    [email protected]:~$ exit
    logout
    Connection to internal closed.
    [email protected]:~$

    Use comma-separated value for jump hosts if multiple jump connection is required

    $ ssh -J [email protected],[email protected] [email protected]

    Add : to hostname / IP address to specify port if non-standard is used for SSH server.

    $ ssh -J [email protected]:2222 [email protected]
    -J destination
            Connect to the target host by first making a ssh connection to
            the jump host described by destination and then establishing a
            TCP forwarding to the ultimate destination from there.  Multiple
            jump hops may be specified separated by comma characters.  This
            is a shortcut to specify a ProxyJump configuration directive.
            Note that configuration directives supplied on the command-line
            generally apply to the destination host and not any specified
            jump hosts.  Use ~/.ssh/config to specify configuration for jump
            hosts.

    Configure AllowAgentForwarding and AllowTcpForwarding to yes on the jump server if you're using SSH agent or public key authentication.

  4. Open SSH user config file using your preferred text editor.
    $ vi ~/.ssh/config
  5. Add host and login information of the gateway server.
    Host gateway
            hostname 192.168.111.27
            user user
  6. Add host and login information of the internal server along with ProxyJump configuration
    host internal
            hostname 192.168.111.38
            user user
            proxyjump gateway
  7. Directly SSH to internal server without using ProxyJump configuration.
    $ ssh internal
    [email protected]'s password: 
    [email protected]'s password: 
    [email protected]:~$ 

Support us on Patreon if this guide has helped you. Thanks!!!

Discuss the article:

Comment anonymously. Login not required.

Share!