Using ProxyJump For Access Through a Jump Host

SSH Agent forwarding lets clients connect from one server to the next using key-based authentication without copying the private key to each server in the chain. This approach is not considered good security practice, because users with the appropriate privileges on the remote server could hijack the agent and use it to connect to other systems without requiring authentication.

It's considered good security practice to use the ProxyJump option in the OpenSSH client to configure access to remote servers using bastion and jump hosts. The ProxyJump functionality works similarly to an SSH tunnel or port forward, in that it proxies all traffic straight through the jump host. Unlike port forwarding, ProxyJump option doesn't require server-side configuration, so only SSH access to the jump host is required.

Configuring ProxyJump

Jump hosts are configured in the $HOME/.ssh/config file. In the following example, the jump host at jumphost.example.com is connected to the internal network and jumps to the host located at internal.example.com: 

#File $HOME/.ssh/config with example of ProxyJump configuration

Host myjumphost
  HostName jumphost.example.com 

Host myremotehost
  HostName internal.example.com 
  ProxyJump myjumphost

To connect to the remote host via the jump server using the preceding $HOME/.ssh/config file, run the following command: 

ssh myremotehost

If you're connecting to remote hosts on an ad hoc basis, and don't have ProxyJump settings configured for them in the $HOME/.ssh/config file, you can specify required jump and remote host details by using the following command options:

  • Using ssh -J

    The -J flag is used to specify ProxyJump information on the command line. For example: 

    ssh -J jumphost.example.com internal.example.com

  • Using ssh -o

    The -o flag provides a more general method (not limited to ProxyJump configuration) that can be used to pass options to the ssh command in the format that would be used in the $HOME/.ssh/config file. For example: 

    ssh -o 'ProxyJump=jumphost.example.com' internal.example.com

For more information, see Setting SSH Client Configuration Options For a Host and the ssh(1) and ssh_config(5) manual pages.