Configuring OpenSSH to use a jumphost

by on

Let’s say you have an important server Bulbasaur. You may want to restrict access to the SSH server to a few IP addresses as an extra layer of protection. We can then use a secure whitelisted server (jumphost or bastion) to relay our SSH connections:

ssh -J

As we’re connecting to Bulbasaur a lot, we may want to tell OpenSSH that we’re using charmeleon as a jumphost for bulbasaur:

# ~/.ssh/config


With this configuration in place, we can simply use ssh This also works for scp, rsync and everything else that uses your local SSH client.

Working with legacy

On versions of OpenSSH before 7.3 the ProxyJump option is not available. In that case you’ll have to use an alternative configuration using the ProxyCommand option to specify the exact command OpenSSH has to execute to set up the tunnel.

	ProxyCommand ssh -W %h:%p

Oops: wildcards

Watch out when you’re using wildcards in your ssh config:

Host *

Using ssh now causes a loop as the connection to the jumphost also matches the block and tries to use the jumphost.

An easy way to solve this is an alias for the jumphost:

Host charmeleon

Host *
	ProxyJump charmeleon