Small SSH config change becomes a massive time saver when using a jump (bastion) host

Written by - 2 comments

Published on - Listed in Linux


Companies often use a SSH jump host (also sometimes called a Bastion server) which then allows to connect to additional SSH servers in the internal networks. This is a system architecture to improve security and to significantly reduce the (public) attack surface.

Two SSH connections

To connect to the target server, there are two SSH connections necessary:

1) SSH connection to the jump host

2) SSH connection from the jump host to the target server

By using SSH key authentication and agent forwarding, the private key from the SSH client is used in the second SSH connection, too. This is how this looks in a practical way:

# Add private key to ssh-agent:
ck@mint ~ $ ssh-add /home/ck/.ssh/id_rsa
Enter passphrase for /home/ck/.ssh/id_rsa: ********************
Identity added: /home/ck/.ssh/id_rsa (/home/ck/.ssh/id_rsa)

# SSH connection to jump host (-A for SSH agent forwarding):
ck@mint ~ $ ssh jumphost.example.com -A

# SSH connection from jump host to the target server
ck@jumphost:~$ ssh targetserver.corp.internal
ck@targetserver:~$

Although this works, it always requires to first connect to the jumphost, enter the ssh connection settings to the target server, therefore doing twice the "work" of establishing a SSH connection

Another problem is doing file transfers using scp or sftp. The files first need to be transferred from the target server to the jump host and then from the jump host to the ssh client.

Wouldn't it be nice, if this ssh jumping would be handled automatically in the background?

Using ProxyJump in ssh config

With the release of OpenSSH 7.3 in August 2016 a new feature was added:

 * ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".

Although many years have passed since this release, the ProxyJump config option (or -J command line parameter) is not known to many SSH users. At least it was not known to me, having used SSH since at least 2005.

By defining the target server(s) in the local SSH config (on the SSH client) and adding the ProxyJump config option, we can directly define the jump host for the target server:

ck@mint ~ $ tail .ssh/config

Host *.corp.internal
  User ck
  IdentityFile ~/.ssh/id_rsa
  ProxyJump jumphost.example.com

With that config in place, we can now use ssh to "directly" connect to the target server:

ck@mint ~ $ ssh targetserver.corp.internal
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-67-generic x86_64)
[...]

ck@targetserver:~$ hostname
targetserver

Of course this still uses the jump host in the background, but to you and me as user on the SSH client it looks like a single connection.

The same "single connection" also works for file transfers. Instead of copying a file from the target server twice, we can directly transfer it (via jump host in the background) to our local SSH client:

ck@mint ~ $ scp targetserver.corp.internal:/tmp/xxx .
xxx                                                              100%    0     0.0KB/s   00:00   

I wish I knew this sooner

I mentioned above, I have been using SSH connections since at least 2005. In the last couple of years I have come across a lot of systems and networks with a SSH jump host. Having successfully tested the ProxyJump SSH option now, I experienced this rare "WOW!" moment. I wish I came across this very handy ProxyJump option sooner, it would have saved me so much time (doing ssh connection twice) and would have saved me many troubles with file transfers.

Definitely happy now, knowing future SSH sessions via a jump host will be faster and easier.


Add a comment

Show form to leave a comment

Comments (newest first)

ck from Switzerland wrote on Mar 23rd, 2023:

draugas, sorry, no idea - I do not know teleport.


draugas from Vilnius wrote on Mar 22nd, 2023:

any way use jump throughout teleport?