There might come a time where you can only access a remote server by logging in to an intermediate server (firewall/jump host) first. The server could be in a private or isolated network that is only reachable from the intermediate server. When accessing the server, you first need to ssh to the intermediate server before doing another ssh to the destination server. If there is another remote host that can only be accessible from the second server, the chain can be long.

In this guide, we will learn how to simplify the process using the options that ssh client provides us including using the SSH ProxyCommand command.

Related content:

• SSH – Generating and Working with ssh keys

The SSH Scenario

This is how the ssh set up is.

+--------------+       +------------+      +-----------+
| Local machine|   ->  | JumpServer | ->   | Dbserver  |
+--------------+       +------------+      +-----------+

The DB server can only be accessed by logging in to the intermediate server – Jump Server. First login to the jumpserver

ssh user@jumpserver

Then from the jump server we can login to the db server

ssh user@dbserver

Using the -J option for latest ssh clients

For the latest ssh clients, the -J option allows you to specify which host to use as a jump host. This is the format

ssh -J user@jumpserver user@dbserver

This is how to connect to the remote using a public jump server

ssh -J rocky@13.36.234.247 ubuntu@10.70.1.190

If you have to specify an ssh key, use this format:

ssh -J rocky@13.36.234.247 ubuntu@10.70.1.190  -i ~/.ssh/id_server_key

Using ProxyCommand when the -J option is not available

In older versions of openssh the -J is not available. So use the following syntax:

ssh -o ProxyCommand="ssh -W %h:%p <meta charset="utf-8">user@jumpserver" <meta charset="utf-8">user@dbserver

This is how I use in my local machine

ssh -o ProxyCommand="ssh -W %h:%p rocky@13.36.234.247" ubuntu@10.70.1.190 -i ~/.ssh/id_rsa

For the oldest clients that don’t support -W option

In this case the ssh -tt command. Instead of typing two ssh command, I can type the following all-in-one command. This is useful for connecting to remote dbserver via firewall called jumpserver as the jump host:

ssh -tt user@jumpserver ssh -tt user@dbserver

Usage:

ssh -tt rocky@13.36.234.247 ssh -tt ubuntu@10.70.1.190 -i ~/.ssh/id_rsa

Where:

• The -t option passed to the ssh command force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine. Multiple -tt options force tty allocation, even if ssh has no local tty.

Saving the configuration in the ~/.ssh/config file

You can define the configuration options in the ~/.ssh/config file. This is how the configuration would look like, we specify the ProxyCommand:

Host dbserver
    Hostname 10.70.1.190
    User ubuntu
    ProxyCommand ssh rocky@13.36.234.247 -W %h:%p
    IdentityFile ~/.ssh/id_rsa

You can also use ProxyJump

Host dbserver
    Hostname 10.70.1.190
    User ubuntu
    ProxyJump rocky@13.36.234.247
    IdentityFile ~/.ssh/id_rsa

You can also recursively chain multiple jump hosts:

Host jumpsrver
    Hostname 13.36.234.247
    User rocky


Host dbserver2
    Hostname 10.70.1.190
    User ubuntu
    ProxyCommand ssh -W %h:%p jumpsrver
    IdentityFile ~/.ssh/id_rsa

Host dbserver3
    Hostname 10.70.1.190
    User ubuntu
    ProxyCommand ssh -W %h:%p dbserver2
    IdentityFile ~/.ssh/id_rsa

Doing this will proxy through the other hosts

<meta charset="utf-8">ssh dbserver3