How to ssh through host(jumpserver) to reach another server

There might come a time where you can only access a remote server by logging in to an intermediate server (firewall/jump host) first. The server could be in a private or isolated network that is only reachable from the intermediate server. When accessing the server, you first need to ssh to the intermediate server before doing another ssh to the destination server. If there is another remote host that can only be accessible from the second server, the chain can be long.

In this guide, we will learn how to simplify the process using the options that ssh client provides us including using the SSH ProxyCommand command.

Related content:

# The SSH Scenario

This is how the ssh set up is.

+--------------+       +------------+      +-----------+
| Local machine|   ->  | JumpServer | ->   | Dbserver  |
+--------------+       +------------+      +-----------+

The DB server can only be accessed by logging in to the intermediate server – Jump Server. First login to the jumpserver

ssh user@jumpserver

Then from the jump server we can login to the db server

ssh user@dbserver

# Using the -J option for latest ssh clients

For the latest ssh clients, the -J option allows you to specify which host to use as a jump host. This is the format

ssh -J user@jumpserver user@dbserver

This is how to connect to the remote using a public jump server

ssh -J rocky@ ubuntu@

If you have to specify an ssh key, use this format:

ssh -J rocky@ ubuntu@  -i ~/.ssh/id_server_key

# Using ProxyCommand when the -J option is not available

In older versions of openssh the -J is not available. So use the following syntax:

ssh -o ProxyCommand="ssh -W %h:%p <meta charset="utf-8">user@jumpserver" <meta charset="utf-8">user@dbserver

This is how I use in my local machine

ssh -o ProxyCommand="ssh -W %h:%p rocky@" ubuntu@ -i ~/.ssh/id_rsa

# For the oldest clients that don’t support -W option

In this case the ssh -tt command. Instead of typing two ssh command, I can type the following all-in-one command. This is useful for connecting to remote dbserver via firewall called jumpserver as the jump host:

ssh -tt user@jumpserver ssh -tt user@dbserver


ssh -tt rocky@ ssh -tt ubuntu@ -i ~/.ssh/id_rsa


  • The -t option passed to the ssh command force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs on a remote machine. Multiple -tt options force tty allocation, even if ssh has no local tty.

# Saving the configuration in the ~/.ssh/config file

You can define the configuration options in the ~/.ssh/config file. This is how the configuration would look like, we specify the ProxyCommand:

Host dbserver
    User ubuntu
    ProxyCommand ssh rocky@ -W %h:%p
    IdentityFile ~/.ssh/id_rsa

You can also use ProxyJump

Host dbserver
    User ubuntu
    ProxyJump rocky@
    IdentityFile ~/.ssh/id_rsa

You can also recursively chain multiple jump hosts:

Host jumpsrver
    User rocky

Host dbserver2
    User ubuntu
    ProxyCommand ssh -W %h:%p jumpsrver
    IdentityFile ~/.ssh/id_rsa

Host dbserver3
    User ubuntu
    ProxyCommand ssh -W %h:%p dbserver2
    IdentityFile ~/.ssh/id_rsa

Doing this will proxy through the other hosts

<meta charset="utf-8">ssh dbserver3
Last updated on Mar 20, 2024 17:19 +0300
comments powered by Disqus
Citizix Ltd
Built with Hugo
Theme Stack designed by Jimmy