In this comprehensive guide, we’ll walk you through the steps to securely SSH to remote host via multiple jump hosts. If you’re a system administrator or developer who needs to access a remote host via multiple jump hosts, you know it can be a challenging and time-consuming process. But with the right tools and techniques, you can establish a secure connection to your destination and protect your sensitive data.
Table of Contents
SSH to Remote Host via Multiple Jump Hosts
Imagine you have three nodes in your network;
- Node A: This can be your localhost machine
- Node B: Load Balancer, for example
- Node C: This can be your web app server for example
- Node D: This can be your web database server.
Assuming strict security requirements have been implemented in your infrastructure such that access a remote server is only accessible via a jump/bastion host. To connect to the remote server, you’ll need to first connect to the jump host, and then connect to the remote server via the jump host.
For example, access to Node D has been restricted such that it can only be accessed from Node C. Similarly, Node C has been restricted to allow access only from Node B. While Node B can only be SSHed into by a few admins, you included (from Node A).
SSH into One Jump Host at a Given Time
Usually, to SSH to remote host via multiple jump hosts, you would normally have to login to first jump host.
ssh username@nodeB
If you are using SSH keys for authentication, then;
ssh -i /path/to/ssh/key/on/nodeA username@nodeB
Once you are logged into the Node B, then again SSH into Node C, which is the target remote host;
ssh username@nodeC
Or similary, if you need SSH keys
ssh -i /path/to/ssh/key/on/nodeB username@nodeC
Once you are logged into the Node C, then again SSH into Node D, which is the target remote host;
ssh username@nodeD
Or similary, if you need SSH keys
ssh -i /path/to/ssh/key/on/nodeC username@nodeD
And that is it! Time consuming, isn’t it?
SSH to Remote Host Using SSH ProxyJump Option
Beginning from OpenSSH 7.3, SSH now provides ProxyJump option that simplifies the process of connecting to a remote host via multiple jump hosts by allowing you to specify the intermediate hosts directly in the command line or in the configuration file.
Using ProxyJump in Command Line
In command line, you can pass -J
option to SSH command as a shortcut to specify a ProxyJump configuration directive.
For example, to SSH into Node D via Node C via Node B as jump host, the order is Node B > Node C > Node D;
ssh -J username@nodeB,username@nodeC username@nodeD
See example below;
ssh -J [email protected],[email protected] [email protected]
You will be prompted first for the Node B password, then Node C, and finally Node D;
[email protected]'s password:
[email protected]'s password:
[email protected]'s password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-69-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Apr 17 08:46:52 PM UTC 2023
System load: 0.0
Usage of /: 50.7% of 26.98GB
Memory usage: 25%
Swap usage: 0%
Processes: 154
Users logged in: 0
IPv4 address for docker0: 172.17.0.1
IPv4 address for docker_gwbridge: 172.18.0.1
IPv4 address for enp0s3: 10.0.12.150
IPv4 address for enp0s8: 192.168.58.154
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
61 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Last login: Mon Apr 10 14:36:50 2023 from 192.168.59.102
Using ProxyJump in SSH Config File
You can as well define the configs on your SSH configuration file;
vim ~/.ssh/config
Host nodeD ProxyJump USERNAME@nodeB-IP,USERNAME@nodeC-IP,USERNAME@nodeD-IP
Replace “nodeB-IP”, “nodeC-IP” and “nodeD-IP” with the respective hostnames or IP addresses.
Save the config and exit the config file.
To connect to the remote host using the ProxyJump command, simply run:
ssh nodeD
Or simply update the config to look like;
vim ~/.ssh/config
Host nodeB
User kifarunix
HostName jump_host1_IP
Host nodeC
User spider
HostName jump_host2_IP
ProxyJump nodeB
Host nodeD
User johndoe
HostName remote_host_IP
ProxyJump nodeC
Then simply SSH into remote host using the command;
ssh nodeD
If you are using SSH keys, then better put the configs on your SSH config file as follows;
vim ~/.ssh/config
Host nodeB
HostName nodeB-IP
User kifarunix
IdentityFile ~/nodeB.pem
Host nodeC
HostName nodeC-IP
User kifarunix
IdentityFile ~/nodeC.pem
ProxyJump nodeB
Host nodeD
HostName nodeD-IP
User kifarunix
IdentityFile ~/nodeD.pem
ProxyJump nodeC
You can then login to remote host Node D using the command;
ssh nodeD
You will get passphrase prompts for all three SSH keys;
Enter passphrase for key '~/nodeB.pem':
Enter passphrase for key '~/nodeC.pem':
Enter passphrase for key '~/nodeD.pem':
Note that the SSH key cert files should be residing on the localhost.
SSH to Remote Host Using SSH ProxyCommand Option
ProxyCommand
is an SSH option that allows you to specify a command to use as a proxy when connecting to a remote host. When this option is set, SSH uses the specified command to establish a connection to the remote host, instead of establishing a direct connection.
Using ProxyCommand SSH option in Command Line
To use ProxyCommand SSH option in command line, you simply pass -o ProxyCommand
option and specify the jump/proxy hosts.
For example;
ssh -o ProxyCommand='ssh -W %h:%p USERNAME@nodeB_IP "ssh -W %h:%p USERNAME@nodeC_IP"' USERNAME@nodeD_IP
- The command above tells SSH to use
ssh
as the proxy command to forward traffic to thenodeB
then tonodeC
and finally tonodeD
. -W
: This option tellsssh
to set up a netcat mode communication channel to the target host instead of executing a shell on the remote host.%h
: This is a placeholder that will be replaced with the hostname of the target host.:%p
: This is a placeholder that will be replaced with the port number of the target host.
Using ProxyCommand SSH option in SSH Config File
You can define the command in SSH config file;
vim ~/.ssh/config
Host nodeB
HostName nodeB_IP
User USERNAME
Host nodeC
HostName nodeC_IP
User USERNAME
ProxyCommand ssh -W %h:%p nodeB
Host nodeD
HostName nodeD_IP
User USERNAME
ProxyCommand ssh -W %h:%p nodeC
Save and exit the file.
You can the just login to remote host nodeD using the command;
ssh nodeD
You will be prompted to enter pass for nodeB, then nodeC and finally nodeD;
[email protected]'s password:
[email protected]'s password:
[email protected]'s password:
Similarly, if you are using SSH keys, you can update config as follows;
vim ~/.ssh/config
Host nodeB
HostName nodeB_IP
User USERNAME
IdentityFile ~/nodeB.pem
Host nodeC
HostName nodeC_IP
User USERNAME
ProxyCommand ssh -W %h:%p nodeB
IdentityFile ~/nodeC.pem
Host nodeD
HostName nodeD_IP
User USERNAME
ProxyCommand ssh -W %h:%p nodeC
IdentityFile ~/nodeD.pem
The just ssh using keys;
ssh nodeD
And that is.
In this guide, you have learnt how SSH to remote host via multiple jump hosts using;
That concludes our guide.
Other Tutorials
Configure SSH Local Port Forwarding in Linux