Small SSH config change becomes a massive time saver when using a jump (bastion) host

Written by Claudio Kuenzler - 2 comments

Published on March 22nd 2023 - Listed in Linux

Companies often use a SSH jump host (also sometimes called a Bastion server) which then allows to connect to additional SSH servers in the internal networks. This is a system architecture to improve security and to significantly reduce the (public) attack surface.

SSH connection using a jump host before connecting to the target server

Two SSH connections

To connect to the target server, there are two SSH connections necessary:

1) SSH connection to the jump host

2) SSH connection from the jump host to the target server

By using SSH key authentication and agent forwarding, the private key from the SSH client is used in the second SSH connection, too. This is how this looks in a practical way:

# Add private key to ssh-agent:
ck@mint ~ $ ssh-add /home/ck/.ssh/id_rsa
Enter passphrase for /home/ck/.ssh/id_rsa: ********************
Identity added: /home/ck/.ssh/id_rsa (/home/ck/.ssh/id_rsa)

# SSH connection to jump host (-A for SSH agent forwarding):
ck@mint ~ $ ssh jumphost.example.com -A

# SSH connection from jump host to the target server
ck@jumphost:~$ ssh targetserver.corp.internal
ck@targetserver:~$

Although this works, it always requires to first connect to the jumphost, enter the ssh connection settings to the target server, therefore doing twice the "work" of establishing a SSH connection.

Another problem is doing file transfers using scp or sftp. The files first need to be transferred from the target server to the jump host and then from the jump host to the ssh client.

Wouldn't it be nice, if this ssh jumping would be handled automatically in the background?

Using ProxyJump in ssh config

With the release of OpenSSH 7.3 in August 2016 a new feature was added:

* ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".

Although many years have passed since this release, the ProxyJump config option (or -J command line parameter) is not known to many SSH users. At least it was not known to me, having used SSH since at least 2005.

By defining the target server(s) in the local SSH config (on the SSH client) and adding the ProxyJump config option, we can directly define the jump host for the target server:

ck@mint ~ $ tail .ssh/config

Host *.corp.internal
User ck
IdentityFile ~/.ssh/id_rsa
ProxyJump jumphost.example.com

With that config in place, we can now use ssh to "directly" connect to the target server:

ck@mint ~ $ ssh targetserver.corp.internal
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-67-generic x86_64)
[...]

ck@targetserver:~$ hostname
targetserver

Of course this still uses the jump host in the background, but to you and me as user on the SSH client it looks like a single connection.

The same "single connection" also works for file transfers. Instead of copying a file from the target server twice, we can directly transfer it (via jump host in the background) to our local SSH client:

ck@mint ~ $ scp targetserver.corp.internal:/tmp/xxx .
xxx 100% 0 0.0KB/s 00:00

I wish I knew this sooner

I mentioned above, I have been using SSH connections since at least 2005. In the last couple of years I have come across a lot of systems and networks with a SSH jump host. Having successfully tested the ProxyJump SSH option now, I experienced this rare "WOW!" moment. I wish I came across this very handy ProxyJump option sooner, it would have saved me so much time (doing ssh connection twice) and would have saved me many troubles with file transfers.

Definitely happy now, knowing future SSH sessions via a jump host will be faster and easier.

Small SSH config change becomes a massive time saver when using a jump (bastion) host

Two SSH connections

Using ProxyJump in ssh config

I wish I knew this sooner

Add a comment

Comments (newest first)

Blog Tags: