There might come a time where you can only access a remote server by logging in to an intermediate server (firewall/jump host) first. The server could be in a private or isolated network that is only reachable from the intermediate server. When accessing the server, you first need to ssh to the intermediate server before doing another ssh to the destination server. If there is another remote host that can only be accessible from the second server, the chain can be long.
In this guide, we will learn how to simplify the process using the options that ssh client provides us including using the
SSH ProxyCommand command.
The SSH Scenario
This is how the ssh set up is.
+--------------+ +------------+ +-----------+ | Local machine| -> | JumpServer | -> | Dbserver | +--------------+ +------------+ +-----------+
The DB server can only be accessed by logging in to the intermediate server – Jump Server. First login to the jumpserver
Then from the jump server we can login to the db server
Using the -J option for latest ssh clients
For the latest ssh clients, the -J option allows you to specify which host to use as a jump host. This is the format
This is how to connect to the remote using a public jump server
If you have to specify an ssh key, use this format:
ssh -J [email protected] [email protected] -i ~/.ssh/id_server_key
Using ProxyCommand when the -J option is not available
In older versions of openssh the -J is not available. So use the following syntax:
ssh -o ProxyCommand="ssh -W %h:%p [email protected]" [email protected]
This is how I use in my local machine
ssh -o ProxyCommand="ssh -W %h:%p [email protected]" [email protected] -i ~/.ssh/id_rsa
For the oldest clients that don’t support -W option
In this case the ssh -tt command. Instead of typing two ssh command, I can type the following all-in-one command. This is useful for connecting to remote dbserver via firewall called jumpserver as the jump host:
ssh -tt [email protected] ssh -tt [email protected]
ssh -tt [email protected] ssh -tt [email protected] -i ~/.ssh/id_rsa
- The -t option passed to the ssh command force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine. Multiple -tt options force tty allocation, even if ssh has no local tty.
Saving the configuration in the ~/.ssh/config file
You can define the configuration options in the
~/.ssh/config file. This is how the configuration would look like, we specify the ProxyCommand:
Host dbserver Hostname 10.70.1.190 User ubuntu ProxyCommand ssh [email protected] -W %h:%p IdentityFile ~/.ssh/id_rsa
You can also use ProxyJump
Host dbserver Hostname 10.70.1.190 User ubuntu ProxyJump [email protected] IdentityFile ~/.ssh/id_rsa
You can also recursively chain multiple jump hosts:
Host jumpsrver Hostname 126.96.36.199 User rocky Host dbserver2 Hostname 10.70.1.190 User ubuntu ProxyCommand ssh -W %h:%p jumpsrver IdentityFile ~/.ssh/id_rsa Host dbserver3 Hostname 10.70.1.190 User ubuntu ProxyCommand ssh -W %h:%p dbserver2 IdentityFile ~/.ssh/id_rsa
Doing this will proxy through the other hosts