Posted in Linux commands

Using ssh with a Jump Host

Frequently I have to log in to a remote machine, but I cannot connect directly; I have to use a so called jump host. (This is often the case, if I have to use a VPN to connect to a customer site.) So I have to use two sshs to connect to the desired machine. Do I?

If I ask this, the answer is surely “no”.

Let’s consider the following scenario:

We log in to the jump host with the IP From there we connect to a webhost or to an application host

[my_compy:~]$ ssh jump@
[jump:~]$ ssh applic@

But thanks to the option -o and the ProxyCommand we can write this in on command:

ssh -o "ProxyCommand ssh -W %h:%p jump@" applic@

The parameter -W “requests that standard input and output on the client be forwarded to host on port over the secure channel” (from the man page). %h and %p are placeholders for the host and port, resp.

Is this really easier? At first glance not. But we can use the ssh config file (as decribed in earlier post), and configure the ProxyCommand there:

Host custweb
   ProxyCommand ssh -W %h:%p jump@ 2> /dev/null
   User applic

Host custappl
   ProxyCommand ssh -W %h:%p jump@ 2> /dev/null
   User applic

Now the login is quite easy:

[my_compy:~]$ ssh custweb


[my_compy:~]$ ssh custappl

All you have to do now is to enter two passwords. This can be avoided – I will explain this in a later post.

And yes: there is a parameter -J to define one (or more) jump hosts for ssh, but if we use the ProxyCommand scp can benefit from this, too.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s