Configuring OpenSSH to use a jumphost

by on

Let’s say you have an important server Bulbasaur. You may want to restrict access to the SSH server to a few IP addresses as an extra layer of protection. We can then use a secure whitelisted server (jumphost or bastion) to relay our SSH connections:

ssh -J charmeleon.mydomain.net bulbasaur.mydomain.net

As we’re connecting to Bulbasaur a lot, we may want to tell OpenSSH that we’re using charmeleon as a jumphost for bulbasaur:

# ~/.ssh/config

Host bulbasaur.mydomain.net
	ProxyJump charmeleon.mydomain.net

With this configuration in place, we can simply use ssh bulbasaur.mydomain.net. This also works for scp, rsync and everything else that uses your local SSH client.

Working with legacy

On versions of OpenSSH before 7.3 the ProxyJump option is not available. In that case you’ll have to use an alternative configuration using the ProxyCommand option to specify the exact command OpenSSH has to execute to set up the tunnel.

Host bulbasaur.mydomain.net
	ProxyCommand ssh charmeleon.mydomain.net -W %h:%p

Oops: wildcards

Watch out when you’re using wildcards in your ssh config:

Host *.mydomain.net
	ProxyJump charmeleon.mydomain.net

Using ssh server.mydomain.net now causes a loop as the connection to the jumphost also matches the block and tries to use the jumphost.

An easy way to solve this is an alias for the jumphost:

Host charmeleon
	HostName charmeleon.mydomain.net

Host *.mydomain.net
	ProxyJump charmeleon