Linux

How to ssh through host(jumpserver) to reach another server

Pinterest LinkedIn Tumblr

There might come a time where you can only access a remote server by logging in to an intermediate server (firewall/jump host) first. The server could be in a private or isolated network that is only reachable from the intermediate server. When accessing the server, you first need to ssh to the intermediate server before doing another ssh to the destination server. If there is another remote host that can only be accessible from the second server, the chain can be long.

In this guide, we will learn how to simplify the process using the options that ssh client provides us including using the SSH ProxyCommand command.

Related content:

The SSH Scenario

This is how the ssh set up is.

+--------------+       +------------+      +-----------+
| Local machine|   ->  | JumpServer | ->   | Dbserver  |
+--------------+       +------------+      +-----------+

The DB server can only be accessed by logging in to the intermediate server – Jump Server. First login to the jumpserver

ssh [email protected]

Then from the jump server we can login to the db server

ssh [email protected]

Using the -J option for latest ssh clients

For the latest ssh clients, the -J option allows you to specify which host to use as a jump host. This is the format

ssh -J [email protected] [email protected]

This is how to connect to the remote using a public jump server

ssh -J [email protected] [email protected]

If you have to specify an ssh key, use this format:

ssh -J [email protected] [email protected]  -i ~/.ssh/id_server_key

Using ProxyCommand when the -J option is not available

In older versions of openssh the -J is not available. So use the following syntax:

ssh -o ProxyCommand="ssh -W %h:%p [email protected]" [email protected]

This is how I use in my local machine

ssh -o ProxyCommand="ssh -W %h:%p [email protected]" [email protected] -i ~/.ssh/id_rsa

For the oldest clients that don’t support -W option

In this case the ssh -tt command. Instead of typing two ssh command, I can type the following all-in-one command. This is useful for connecting to remote dbserver via firewall called jumpserver as the jump host:

ssh -tt [email protected] ssh -tt [email protected]

Usage:

ssh -tt [email protected] ssh -tt [email protected] -i ~/.ssh/id_rsa

Where:

  • The -t option passed to the ssh command force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine. Multiple -tt options force tty allocation, even if ssh has no local tty.

Saving the configuration in the ~/.ssh/config file

You can define the configuration options in the ~/.ssh/config file. This is how the configuration would look like, we specify the ProxyCommand:

Host dbserver
    Hostname 10.70.1.190
    User ubuntu
    ProxyCommand ssh [email protected] -W %h:%p
    IdentityFile ~/.ssh/id_rsa

You can also use ProxyJump

Host dbserver
    Hostname 10.70.1.190
    User ubuntu
    ProxyJump [email protected]
    IdentityFile ~/.ssh/id_rsa

You can also recursively chain multiple jump hosts:

Host jumpsrver
    Hostname 13.36.234.247
    User rocky


Host dbserver2
    Hostname 10.70.1.190
    User ubuntu
    ProxyCommand ssh -W %h:%p jumpsrver
    IdentityFile ~/.ssh/id_rsa

Host dbserver3
    Hostname 10.70.1.190
    User ubuntu
    ProxyCommand ssh -W %h:%p dbserver2
    IdentityFile ~/.ssh/id_rsa

Doing this will proxy through the other hosts

ssh dbserver3

I am a Devops Engineer, but I would describe myself as a Tech Enthusiast who is a fan of Open Source, Linux, Automations, Cloud and Virtualization. I love learning and exploring new things so I blog in my free time about Devops related stuff, Linux, Automations and Open Source software. I can also code in Python and Golang.

Write A Comment