How to use SSH command and config with a jump (bastion) host and save a lot of time

Written by - 2 comments

Published on - last updated on August 14th 2023 - Listed in Linux

Companies often use a SSH jump host (also sometimes called a Bastion server) which then allows to connect to additional SSH servers in the internal networks. This is a system architecture to improve security and to significantly reduce the (public) attack surface.

Two SSH connections

To connect to the target server, there are two SSH connections necessary:

1) SSH connection to the jump host

2) SSH connection from the jump host to the target server

By using SSH key authentication and agent forwarding, the private key from the SSH client is used in the second SSH connection, too. This is how this looks in a practical way:

# Add private key to ssh-agent:
ck@mint ~ $ ssh-add /home/ck/.ssh/id_rsa
Enter passphrase for /home/ck/.ssh/id_rsa: ********************
Identity added: /home/ck/.ssh/id_rsa (/home/ck/.ssh/id_rsa)

# SSH connection to jump host (-A for SSH agent forwarding):
ck@mint ~ $ ssh -A

# SSH connection from jump host to the target server
ck@jumphost:~$ ssh targetserver.corp.internal

Although this works, it always requires to first connect to the jumphost, enter the ssh connection settings to the target server, therefore doing twice the "work" of establishing a SSH connection

Another problem is doing file transfers using scp or sftp. The files first need to be transferred from the target server to the jump host and then from the jump host to the ssh client.

Wouldn't it be nice, if this ssh jumping would be handled automatically in the background?

Using a Jump Server in the command

With the release of OpenSSH 7.3 in August 2016 a new feature was added:

 * ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".

Although many years have passed since this release, the ProxyJump config option (or -J command line parameter) is not known to many SSH users. At least it was not known to me, having used SSH since at least 2005.

By using this parameter, we can define the jump host in the same command as we connect to the target server:

ck@mint ~ $ ssh admin@targetserver.corp.internal -J
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-67-generic x86_64)

In the above example, I want to connect as "admin" user to the targetserver in the internal network. The login on the jump server uses my own username "ck".

But instead of typing the jump host setting for every ssh connection, this can also be defined in the ssh (client) config.

Using ProxyJump in ssh config

By defining the target server(s) in the local SSH config (on the SSH client) and adding the ProxyJump config option, we can directly define the jump host for the target server:

ck@mint ~ $ tail .ssh/config
Host *.corp.internal
  User admin
  IdentityFile ~/.ssh/id_rsa

With that config in place, we can now use ssh to "directly" connect to the target server:

ck@mint ~ $ ssh targetserver.corp.internal
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-67-generic x86_64)

admintargetserver:~$ hostname

Of course this still uses the jump host in the background, but to you and me as user on the SSH client it looks like a single connection.

The same "single connection" also works for file transfers. Instead of copying a file from the target server twice, we can directly transfer it (via jump host in the background) to our local SSH client:

ck@mint ~ $ scp targetserver.corp.internal:/tmp/xxx .
xxx                                                              100%    0     0.0KB/s   00:00   

I wish I knew this sooner

I mentioned above, I have been using SSH connections since at least 2005. In the last couple of years I have come across a lot of systems and networks with a SSH jump host. Having successfully tested the ProxyJump SSH option now, I experienced this rare "WOW!" moment. I wish I came across this very handy ProxyJump option sooner, it would have saved me so much time (doing ssh connection twice) and would have saved me many troubles with file transfers.

Definitely happy now, knowing future SSH sessions via a jump host will be faster and easier.

Add a comment

Show form to leave a comment

Comments (newest first)

ck from Switzerland wrote on Mar 23rd, 2023:

draugas, sorry, no idea - I do not know teleport.

draugas from Vilnius wrote on Mar 22nd, 2023:

any way use jump throughout teleport?

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Icingaweb   Icingaweb2   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder   

Update cookies preferences