Private servers often accept SSH only from an administrative network, so a direct login from a workstation can fail even when the server is running. A jump host gives OpenSSH one approved gateway into that private network and lets the client reach the final host without exposing SSH on the public internet.

ProxyJump tells the local OpenSSH client to connect to the bastion first and ask that bastion to open a TCP connection to the final server. The target server still sees a normal SSH client session and still checks the target account, key, and host key; the jump host is only the network path in between.

The jump host must accept SSH from the client and must be allowed to open TCP forwarding toward the target's SSH port. ProxyJump does not require ForwardAgent when the private key remains on the client, but the jump server must not disable AllowTcpForwarding or block the target with PermitOpen rules.

Steps to connect to an SSH server through a jump host:

  1. Confirm that the client can log in to the jump host.
    $ ssh ops@bastion.example.net hostname
    bastion.example.net

    This login proves only the first hop. It does not prove that the bastion can reach the private server.

  2. Connect to the private server through the jump host with ProxyJump.
    $ ssh -J ops@bastion.example.net deploy@app.internal.example hostname
    app.internal.example

    Add :2222 to the jump host inside -J, such as ops@bastion.example.net:2222, only when the bastion's sshd listens on a non-default port.

    If the connection reaches the bastion and then fails with an administratively prohibited forwarding message, review AllowTcpForwarding and PermitOpen on the jump host.

  3. Create the per-user SSH configuration directory when it does not already exist.
    $ mkdir -p ~/.ssh
  4. Restrict the per-user SSH configuration directory to the local account.
    $ chmod 700 ~/.ssh
  5. Open the per-user SSH client configuration file.
    $ vi ~/.ssh/config
  6. Add a host alias for the jump host.
    Host bastion
      HostName bastion.example.net
      User ops

    Put jump-host-specific settings, such as Port or IdentityFile, in this block because destination-host command-line options do not reliably apply to jump hosts.

  7. Add a host alias for the private server and reference the jump host with ProxyJump.
    Host app-prod
      HostName app.internal.example
      User deploy
      ProxyJump bastion

    Add Port 2222 in this block when the final server's SSH service uses a non-default port.

  8. Restrict the client configuration file to the local account.
    $ chmod 600 ~/.ssh/config

    OpenSSH may ignore configuration files that are writable by other users.

  9. Show the resolved client configuration for the private host alias.
    $ ssh -G app-prod
    host app-prod
    user deploy
    hostname app.internal.example
    port 22
    proxyjump bastion
    ##### snipped #####

    ssh -G prints the settings after matching Host blocks, so the proxyjump line confirms that the saved alias will use the bastion route.

  10. Connect through the saved alias.
    $ ssh app-prod hostname
    app.internal.example