How to connect to an SSH server through a jump server or bastion host

Using a bastion host or jump server allows for easier security management as hosts that are not public-facing do not need to be secured as much as the public-facing host. If you need to SSH to the hosts within the private network, you will need to first SSH to the bastion host or jump server and SSH to the other host from there.

Having to connect through multiple hosts adds complexity on the client side. Some ways to help are setting up a VPN or proxy on the gateway and configuring the client connection accordingly.

If the gateway host is an SSH server, you can use the built-in ProxyJump option to automate logging in to reach the end destination through multiple hosts. If paired with the public key authentication method, this option is extremely convenient for system administrators.

Steps to SSH to remote hosts through an SSH gateway:

Launch terminal.

Manually log in to each hosts from one another to make sure it's reachable.

user@host:~$ ssh user@gateway
user@gateway's password: 
user@gateway:~$ ssh user@internal
user@internal's password: 
user@internal:~$ exit
logout
Connection to internal closed.
user@gateway:~$ exit
logout
Connection to gateway closed.
user@host:~$

Connect to internal host using -J option.

user@host:~$ ssh -J user@gateway user@internal
user@gateway's password: 
user@internal's password: 
user@internal:~$ exit
logout
Connection to internal closed.
user@host:~$

Use comma-separated value for jump hosts if multiple jump connection is required

$ ssh -J user@gateway,user@gateway2 user@internal

Add : to hostname / IP address to specify port if non-standard is used for SSH server.

$ ssh -J user@gateway:2222 user@internal

-J destination
        Connect to the target host by first making a ssh connection to
        the jump host described by destination and then establishing a
        TCP forwarding to the ultimate destination from there.  Multiple
        jump hops may be specified separated by comma characters.  This
        is a shortcut to specify a ProxyJump configuration directive.
        Note that configuration directives supplied on the command-line
        generally apply to the destination host and not any specified
        jump hosts.  Use ~/.ssh/config to specify configuration for jump
        hosts.

Configure AllowAgentForwarding and AllowTcpForwarding to yes on the jump server if you're using SSH agent or public key authentication.

Open SSH user config file using your preferred text editor.
```
$ vi ~/.ssh/config
```

Add host and login information of the gateway server.

Host gateway
        hostname 192.168.111.27
        user user

Add host and login information of the internal server along with ProxyJump configuration

host internal
        hostname 192.168.111.38
        user user
        proxyjump gateway

Directly SSH to internal server without using ProxyJump configuration.

$ ssh internal
user@192.168.111.27's password: 
user@192.168.111.38's password: 
user@internal:~$

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.

Discuss the article:

Comment anonymously. Login not required.