Securely SSH to Remote Host via Multiple Jump Hosts

In this comprehensive guide, we’ll walk you through the steps to securely SSH to remote host via multiple jump hosts. If you’re a system administrator or developer who needs to access a remote host via multiple jump hosts, you know it can be a challenging and time-consuming process. But with the right tools and techniques, you can establish a secure connection to your destination and protect your sensitive data.

SSH to Remote Host via Multiple Jump Hosts

Imagine you have three nodes in your network;

1. Node A: This can be your localhost machine
2. Node B: Load Balancer, for example
3. Node C: This can be your web app server for example
4. Node D: This can be your web database server.

Assuming strict security requirements have been implemented in your infrastructure such that access a remote server is only accessible via a jump/bastion host. To connect to the remote server, you’ll need to first connect to the jump host, and then connect to the remote server via the jump host.

For example, access to Node D has been restricted such that it can only be accessed from Node C. Similarly, Node C has been restricted to allow access only from Node B. While Node B can only be SSHed into by a few admins, you included (from Node A).

SSH into One Jump Host at a Given Time

Usually, to SSH to remote host via multiple jump hosts, you would normally have to login to first jump host.

ssh username@nodeB

If you are using SSH keys for authentication, then;

ssh -i /path/to/ssh/key/on/nodeA username@nodeB

Once you are logged into the Node B, then again SSH into Node C, which is the target remote host;

ssh username@nodeC

Or similary, if you need SSH keys

ssh -i /path/to/ssh/key/on/nodeB username@nodeC

Once you are logged into the Node C, then again SSH into Node D, which is the target remote host;

ssh username@nodeD

Or similary, if you need SSH keys

ssh -i /path/to/ssh/key/on/nodeC username@nodeD

And that is it! Time consuming, isn’t it?

SSH to Remote Host Using SSH ProxyJump Option

Beginning from OpenSSH 7.3, SSH now provides ProxyJump option that simplifies the process of connecting to a remote host via multiple jump hosts by allowing you to specify the intermediate hosts directly in the command line or in the configuration file.

Using ProxyJump in Command Line

In command line, you can pass -J option to SSH command as a shortcut to specify a ProxyJump configuration directive.

For example, to SSH into Node D via Node C via Node B as jump host, the order is Node B > Node C > Node D;

ssh -J username@nodeB,username@nodeC username@nodeD

See example below;

ssh -J [email protected],[email protected] [email protected]

You will be prompted first for the Node B password, then Node C, and finally Node D;

[email protected]'s password: 
[email protected]'s password: 
[email protected]'s password:
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-69-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Apr 17 08:46:52 PM UTC 2023

  System load:                      0.0
  Usage of /:                       50.7% of 26.98GB
  Memory usage:                     25%
  Swap usage:                       0%
  Processes:                        154
  Users logged in:                  0
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for docker_gwbridge: 172.18.0.1
  IPv4 address for enp0s3:          10.0.12.150
  IPv4 address for enp0s8:          192.168.58.154

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

61 updates can be applied immediately.
To see these additional updates run: apt list --upgradable


Last login: Mon Apr 10 14:36:50 2023 from 192.168.59.102

Using ProxyJump in SSH Config File

You can as well define the configs on your SSH configuration file;

vim ~/.ssh/config

Host    nodeD
        ProxyJump USERNAME@nodeB-IP,USERNAME@nodeC-IP,USERNAME@nodeD-IP

Replace “nodeB-IP”, “nodeC-IP” and “nodeD-IP” with the respective hostnames or IP addresses.

Save the config and exit the config file.

To connect to the remote host using the ProxyJump command, simply run:

ssh nodeD

Or simply update the config to look like;

vim ~/.ssh/config

 
Host    nodeB
        User kifarunix
        HostName jump_host1_IP
Host    nodeC
        User spider
        HostName jump_host2_IP
        ProxyJump nodeB
Host    nodeD
        User johndoe
        HostName remote_host_IP
        ProxyJump nodeC

Then simply SSH into remote host using the command;

ssh nodeD

If you are using SSH keys, then better put the configs on your SSH config file as follows;

vim ~/.ssh/config

 
Host    nodeB
        HostName nodeB-IP
        User kifarunix
        IdentityFile ~/nodeB.pem
Host    nodeC
        HostName nodeC-IP
        User kifarunix
        IdentityFile ~/nodeC.pem
        ProxyJump nodeB
Host    nodeD
        HostName nodeD-IP
        User kifarunix
        IdentityFile ~/nodeD.pem
        ProxyJump nodeC

You can then login to remote host Node D using the command;

ssh nodeD

You will get passphrase prompts for all three SSH keys;

Enter passphrase for key '~/nodeB.pem': 
Enter passphrase for key '~/nodeC.pem': 
Enter passphrase for key '~/nodeD.pem':

Note that the SSH key cert files should be residing on the localhost.

SSH to Remote Host Using SSH ProxyCommand Option

ProxyCommand is an SSH option that allows you to specify a command to use as a proxy when connecting to a remote host. When this option is set, SSH uses the specified command to establish a connection to the remote host, instead of establishing a direct connection.

Using ProxyCommand SSH option in Command Line

To use ProxyCommand SSH option in command line, you simply pass -o ProxyCommand option and specify the jump/proxy hosts.

For example;

ssh -o ProxyCommand='ssh -W %h:%p USERNAME@nodeB_IP "ssh -W %h:%p USERNAME@nodeC_IP"' USERNAME@nodeD_IP

• The command above tells SSH to use ssh as the proxy command to forward traffic to the nodeB then to nodeC and finally to nodeD.
• -W: This option tells ssh to set up a netcat mode communication channel to the target host instead of executing a shell on the remote host.
• %h: This is a placeholder that will be replaced with the hostname of the target host.
• :%p: This is a placeholder that will be replaced with the port number of the target host.

Using ProxyCommand SSH option in SSH Config File

You can define the command in SSH config file;

vim ~/.ssh/config

Host    nodeB
        HostName nodeB_IP
        User USERNAME

Host    nodeC
        HostName nodeC_IP
        User USERNAME
        ProxyCommand ssh -W %h:%p nodeB

Host    nodeD
        HostName nodeD_IP
        User USERNAME
        ProxyCommand ssh -W %h:%p nodeC

Save and exit the file.

You can the just login to remote host nodeD using the command;

ssh nodeD

You will be prompted to enter pass for nodeB, then nodeC and finally nodeD;

[email protected]'s password: 
[email protected]'s password: 
[email protected]'s password: 

Similarly, if you are using SSH keys, you can update config as follows;

vim ~/.ssh/config

Host    nodeB
        HostName nodeB_IP
        User USERNAME
        IdentityFile ~/nodeB.pem

Host    nodeC
        HostName nodeC_IP
        User USERNAME
        ProxyCommand ssh -W %h:%p nodeB
        IdentityFile ~/nodeC.pem

Host    nodeD
        HostName nodeD_IP
        User USERNAME
        ProxyCommand ssh -W %h:%p nodeC
        IdentityFile ~/nodeD.pem

The just ssh using keys;

ssh nodeD

And that is.

In this guide, you have learnt how SSH to remote host via multiple jump hosts using;

1. SSH ProxyJump option
2. SSH ProxyCommand option

That concludes our guide.

Other Tutorials

Configure SSH Local Port Forwarding in Linux

Install and Use ClusterSSH on Ubuntu 22.04/Ubuntu 20.04

Setup Secure SSH Access on Linux Servers using Teleport