Private servers often accept SSH only from an administrative network, so a direct login from a workstation can fail even when the server is running. A jump host gives OpenSSH one approved gateway into that private network and lets the client reach the final host without exposing SSH on the public internet.
ProxyJump tells the local OpenSSH client to connect to the bastion first and ask that bastion to open a TCP connection to the final server. The target server still sees a normal SSH client session and still checks the target account, key, and host key; the jump host is only the network path in between.
The jump host must accept SSH from the client and must be allowed to open TCP forwarding toward the target's SSH port. ProxyJump does not require ForwardAgent when the private key remains on the client, but the jump server must not disable AllowTcpForwarding or block the target with PermitOpen rules.
Steps to connect to an SSH server through a jump host:
- Confirm that the client can log in to the jump host.
$ ssh ops@bastion.example.net hostname bastion.example.net
This login proves only the first hop. It does not prove that the bastion can reach the private server.
- Connect to the private server through the jump host with ProxyJump.
$ ssh -J ops@bastion.example.net deploy@app.internal.example hostname app.internal.example
Add :2222 to the jump host inside -J, such as ops@bastion.example.net:2222, only when the bastion's sshd listens on a non-default port.
If the connection reaches the bastion and then fails with an administratively prohibited forwarding message, review AllowTcpForwarding and PermitOpen on the jump host.
- Create the per-user SSH configuration directory when it does not already exist.
$ mkdir -p ~/.ssh
- Restrict the per-user SSH configuration directory to the local account.
$ chmod 700 ~/.ssh
- Open the per-user SSH client configuration file.
$ vi ~/.ssh/config
- Add a host alias for the jump host.
Host bastion HostName bastion.example.net User ops
Put jump-host-specific settings, such as Port or IdentityFile, in this block because destination-host command-line options do not reliably apply to jump hosts.
- Add a host alias for the private server and reference the jump host with ProxyJump.
Host app-prod HostName app.internal.example User deploy ProxyJump bastion
Add Port 2222 in this block when the final server's SSH service uses a non-default port.
- Restrict the client configuration file to the local account.
$ chmod 600 ~/.ssh/config
OpenSSH may ignore configuration files that are writable by other users.
- Show the resolved client configuration for the private host alias.
$ ssh -G app-prod host app-prod user deploy hostname app.internal.example port 22 proxyjump bastion ##### snipped #####
ssh -G prints the settings after matching Host blocks, so the proxyjump line confirms that the saved alias will use the bastion route.
Related: How to show SSH client configuration
- Connect through the saved alias.
$ ssh app-prod hostname app.internal.example
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.