Let’s say you have an important server Bulbasaur. You may want to restrict access to the SSH server to a few IP addresses as an extra layer of protection. We can then use a secure whitelisted server (jumphost or bastion) to relay our SSH connections:
ssh -J charmeleon.mydomain.net bulbasaur.mydomain.net
As we’re connecting to Bulbasaur a lot, we may want to tell OpenSSH that we’re using charmeleon as a jumphost for bulbasaur:
# ~/.ssh/config Host bulbasaur.mydomain.net ProxyJump charmeleon.mydomain.net
With this configuration in place, we can simply use
ssh bulbasaur.mydomain.net. This also works for scp, rsync and everything else that uses your local SSH client.
Working with legacy
On versions of OpenSSH before 7.3 the
ProxyJump option is not available.
In that case you’ll have to use an alternative configuration using the
ProxyCommand option to specify the exact command OpenSSH has to execute to set up the tunnel.
Host bulbasaur.mydomain.net ProxyCommand ssh charmeleon.mydomain.net -W %h:%p
Watch out when you’re using wildcards in your ssh config:
Host *.mydomain.net ProxyJump charmeleon.mydomain.net
ssh server.mydomain.net now causes a loop as the connection to the jumphost also matches the block and tries to use the jumphost.
An easy way to solve this is an alias for the jumphost:
Host charmeleon HostName charmeleon.mydomain.net Host *.mydomain.net ProxyJump charmeleon