A jump host, also known as a bastion host, is a server that acts as a bridge to access other servers in a private network. It serves as a secure gateway, allowing controlled access to internal hosts. When connecting to servers within a private network, you must first connect to the jump host before accessing the internal servers.

Connecting through a jump host can add complexity to the client-side configuration. To simplify the process, the SSH protocol provides the ProxyJump option. This option allows you to automate the connection through the jump server to the final destination, reducing the need for multiple manual logins.

The use of ProxyJump with public key authentication enhances security and convenience. This method is particularly useful for system administrators who need to access multiple hosts within a private network. Proper configuration of ProxyJump ensures secure and efficient access to internal servers.

Steps to SSH to remote hosts via a jump server:

  1. Open a terminal on your local machine.
  2. Ensure you can manually log in to each host from the jump host.
    user@host:~$ ssh user@gateway
    user@gateway's password: 
    user@gateway:~$ ssh user@internal
    user@internal's password: 
    user@internal:~$ exit
    logout
    Connection to internal closed.
    user@gateway:~$ exit
    logout
    Connection to gateway closed.
    user@host:~$ 
  3. Use the ProxyJump option to connect to the internal host through the jump host.
    user@host:~$ ssh -J user@gateway user@internal
    user@gateway's password: 
    user@internal's password: 
    user@internal:~$ exit
    logout
    Connection to internal closed.
    user@host:~$

    Use comma-separated value for jump hosts if multiple jump connection is required

    $ ssh -J user@gateway,user@gateway2 user@internal

    Add : to hostname / IP address to specify port if non-standard is used for SSH server.

    $ ssh -J user@gateway:2222 user@internal
    -J destination
            Connect to the target host by first making a ssh connection to
            the jump host described by destination and then establishing a
            TCP forwarding to the ultimate destination from there.  Multiple
            jump hops may be specified separated by comma characters.  This
            is a shortcut to specify a ProxyJump configuration directive.
            Note that configuration directives supplied on the command-line
            generally apply to the destination host and not any specified
            jump hosts.  Use ~/.ssh/config to specify configuration for jump
            hosts.

    Configure AllowAgentForwarding and AllowTcpForwarding to yes on the jump server if you're using SSH agent or public key authentication.

  4. Open the SSH user config file in a text editor.
    $ vi ~/.ssh/config
  5. Add the jump host login information to the config file.
    Host gateway
            hostname 192.168.111.27
            user user
  6. Add the internal server information and the ProxyJump configuration.
    host internal
            hostname 192.168.111.38
            user user
            proxyjump gateway
  7. Save the configuration and connect directly to the internal server using the new setup.
    $ ssh internal
    user@192.168.111.27's password: 
    user@192.168.111.38's password: 
    user@internal:~$ 
Discuss the article:

Comment anonymously. Login not required.