How To Use A Jumphost in your SSH Client Configurations

Mattias Geniar, Thursday, August 6, 2015 - last modified: Sunday, August 9, 2015

Jumphosts are used as intermediate hops between your actual SSH target and yourself. Instead of using something like "unsecure" SSH agent forwarding, you can use ProxyCommand to proxy all your commands through your jumphost.

Using SSH Jumphosts

Consider the following scenario.

ssh_proxy_command_jump_host

You want to connect to HOST B and have to go through HOST A, because of firewalling, routing, access privileges, ... There's a number of legit reasons why jumphosts are needed, not just preferred.

Classic SSH Jumphost configuration

A configuration like this will allow you to proxy through HOST A.

$ cat .ssh/config

Host host-a
  User your_username
  Hostname 10.0.0.5

Host host_b
  User your_username
  Hostname 192.168.0.1
  Port 22
  ProxyCommand ssh -q -W %h:%p host-a

Now if you want to connect to your HOST B, all you have to type is ssh host_b, which will first connect to host-a in the background (that's the ProxyCommand being executed) and start the SSH session to your actual target.

SSH Jumphost configuration with netcat (nc)

Alternatively, if you can't/don't want to use ssh to tunnel your connections, you can also use nc (netcat).

$ cat .ssh/config

Host host-a
  User your_username
  Hostname 10.0.0.5

Host host_b
  User your_username
  Hostname 192.168.0.1
  Port 22
  ProxyCommand ssh host-a nc -w 120 %h %p

This has the same effect.

Sudo in ProxyCommands

If netcat is not available to you as a regular user, because permissions are limited, you can prefix your ProxyCommand's with sudo. The SSH configuration essentially allows you to run any command on your intermediate host, as long as you have the privileges to do so.

$ cat .ssh/config

  ...
  ProxyCommand ssh host-a sudo nc -w 120 %h %p

ProxyCommand options allow you to configure SSH as you like, including jumphost configurations like these.



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek, public speaker and podcaster. Currently working on DNS Spy. Follow me on Twitter as @mattiasgeniar.

I respect your privacy and you won't get spam. Ever.
Just a weekly newsletter about Linux and open source.

SysCast podcast

In the SysCast podcast I talk about Linux & open source projects, interview sysadmins or developers and discuss web-related technologies. A show by and for geeks!

cron.weekly newsletter

A weekly newsletter - delivered every Sunday - for Linux sysadmins and open source users. It helps keeps you informed about open source projects, Linux guides & tutorials and the latest news.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Jong Tuesday, October 18, 2016 at 14:57 (permalink)

is there any benefit to using ssh over netcat or vice versa?

Reply


Mattias Geniar Tuesday, October 18, 2016 at 15:06 (permalink)

None that I can see, except that in some cases netcat could be either not installed or disabled, if you have limited permissions on your host(s).

Reply


Stijn Huyberechts Monday, March 6, 2017 at 12:30 (permalink)

FYI, since OpenSSH 7.3 release a ‘ProxyJump’ directive was implemented for proxying through “jump hosts” specifically.
http://www.openssh.com/txt/release-7.3
I experienced problems with the ProxyCommand on OSX in combination with Ansible.

Example using ProxyJump:

“`

Host bastion_host
User your_username
Hostname 10.0.0.5

Host host_a
ProxyJump bastion_host

“`

cheers!

s.

Reply


Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links