How To Use A Jumphost in your SSH Client Configurations

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, August 06, 2015

Follow me on Twitter as @mattiasgeniar

Jumphosts are used as intermediate hops between your actual SSH target and yourself. Instead of using something like “unsecure” SSH agent forwarding, you can use ProxyCommand to proxy all your commands through your jumphost.

Using SSH Jumphosts

Consider the following scenario.

ssh_proxy_command_jump_host

You want to connect to HOST B and have to go through HOST A, because of firewalling, routing, access privileges, … There’s a number of legit reasons why jumphosts are needed, not just preferred.

Classic SSH Jumphost configuration

A configuration like this will allow you to proxy through HOST A.

$ cat .ssh/config

Host host-a
  User your_username
  Hostname 10.0.0.5

Host host_b
  User your_username
  Hostname 192.168.0.1
  Port 22
  ProxyCommand ssh -q -W %h:%p host-a

Now if you want to connect to your HOST B, all you have to type is ssh host_b, which will first connect to host-a in the background (that’s the ProxyCommand being executed) and start the SSH session to your actual target.

SSH Jumphost configuration with netcat (nc)

Alternatively, if you can’t/don’t want to use ssh to tunnel your connections, you can also use nc (netcat).

$ cat .ssh/config

Host host-a
  User your_username
  Hostname 10.0.0.5

Host host_b
  User your_username
  Hostname 192.168.0.1
  Port 22
  ProxyCommand ssh host-a nc -w 120 %h %p

This has the same effect.

Sudo in ProxyCommands

If netcat is not available to you as a regular user, because permissions are limited, you can prefix your ProxyCommand's with sudo. The SSH configuration essentially allows you to run any command on your intermediate host, as long as you have the privileges to do so.

$ cat .ssh/config

  ...
  ProxyCommand ssh host-a sudo nc -w 120 %h %p

ProxyCommand options allow you to configure SSH as you like, including jumphost configurations like these.



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.