SSH jump host
An alternative to SSH tunneling to access internal machines through gateway is using jump hosts.
The idea is to use ProxyCommand to automatically execute ssh command on remote host to jump to the next host and forward all traffic through.
Prerequisites
- SSH access to the gateway machine and the internal one.
- Gateway machine has Netcat installed.
Dynamic jump host list
You can use the -J option to jump through a host:
user $
ssh -J host1 host2
If usernames or ports on machines differ, specify them:
user $
ssh -J user1@host1:port1 user2@host2 -p port2
Multiple jumps
The same syntax can be used to make jumps over multiple machines:
user $
ssh -J user1@host1:port1,user2@host2:port2 user3@host3
Static jump host list
Static jump host list means, that you know the jump host or jump hosts you need, to reach a host. Therefore you can create a static jump host 'routing' in ~/.ssh/config file. The advantage in comparison to the dynamic jump host option is, that you don't have to provide the .ssh config on jump hosts between your machine and all the other jump hosts between you and the final host you want to jump to.
Setup
~/.ssh/config
ProxyJump Example### First jump host. Directly reachable Host betajump HostName jumphost1.example.org ### Host to jump to via jumphost1.example.org Host behindbeta HostName behindbeta.example.org ProxyJump betajump
Usage
user $
ssh behindalpha
If usernames on machines differ, specify them by modifing the correspondent ProxyJump line:
~/.ssh/config
Modify correspondent ProxyCommandProxyJump otheruser@behindalpha
It works with scp command, too:
user $
scp filename behindalphabeta:~/
The colon and path at the end is needed so that scp recognizes it as remote.
Multiple jumps
The same syntax can be used to make jumps over multiple machines:
~/.ssh/config
Add this text### First jump host. Directly reachable Host alphajump HostName jumphost1.example.org ### Second jumphost. Only reachable via jumphost1.example.org Host betajump HostName jumphost2.example.org ProxyJump alphajump ### Host only reachable via alphajump and betajump Host behindalphabeta HostName behindalphabeta.example.org ProxyJump betajump
user $
ssh behindalphabeta
Tips
To ease the connecting even further:
- Set these commands as shell aliases
- To avoid typing passwords use OpenSSH keys
See also
- SSH — the ubiquitous tool for logging into and working on remote machines securely.