How to Access a Remote Server Using a Jump Host

A jump host (also known as a jump server) is an intermediary host or an SSH gateway to a remote network, through which a connection can be made to another host in a dissimilar security zone, for example a demilitarized zone (DMZ). It bridges two dissimilar security zones and offers controlled access between them.

A jump host should be highly secured and monitored especially when it spans a private network and a DMZ with servers providing services to users on the internet.

A classic scenario is connecting from your desktop or laptop from inside your company’s internal network, which is highly secured with firewalls to a DMZ. In order to easily manage a server in a DMZ, you may access it via a jump host.

In this article, we will demonstrate how to access a remote Linux server via a jump host and also we will configure necessary settings in your per-user SSH client configurations.

Consider the following scenario.

SSH Jump Host

SSH Jump Host

In above scenario, you want to connect to HOST 2, but you have to go through HOST 1, because of firewalling, routing and access privileges. There is a number of valid reasons why jumphosts are needed..

Dynamic Jumphost List

The simplest way to connect to a target server via a jump host is using the -J flag from the command line. This tells ssh to make a connection to the jump host and then establish a TCP forwarding to the target server, from there (make sure you’ve Passwordless SSH Login between machines).

$ ssh -J host1 host2

If usernames or ports on machines differ, specify them on the terminal as shown.

$ ssh -J [email protected]:port [email protected]:port	  

Multiple Jumphosts List

The same syntax can be used to make jumps over multiple servers.

$ ssh -J [email protected]:port,[email protected]:port [email protected]:port

Static Jumphost List

Static jumphost list means, that you know the jumphost or jumphosts that you need to connect a machine. Therefore you need to add the following static jumphost ‘routing’ in ~/.ssh/config file and specify the host aliases as shown.

### First jumphost. Directly reachable
Host vps1
  HostName vps1.example.org

### Host to jump to via jumphost1.example.org
Host contabo
  HostName contabo.example.org
  ProxyJump contabo

Now try to connect to a target server via a jump host as shown.

$ ssh -J vps1 contabo
Login to Target Host via Jumphost

Login to Target Host via Jumphost

The second method is to use the ProxyCommand option to add the jumphost configuration in your ~.ssh/config or $HOME/.ssh/config file as shown.

In this example, the target host is contabo and the jumphost is vps1.

Host vps1
	HostName vps1.example.org
	IdentityFile ~/.ssh/vps1.pem
	User ec2-user

Host contabo
	HostName contabo.example.org	
	IdentityFile ~/.ssh/contabovps
	Port 22
	User admin	
	Proxy Command ssh -q -W %h:%p vps1

Where the command Proxy Command ssh -q -W %h:%p vps1, means run ssh in quiet mode (using -q) and in stdio forwarding (using -W) mode, redirect the connection through an intermediate host (vps1).

Then try to access your target host as shown.

$ ssh contabo

The above command will first open an ssh connection to vps1 in the background effected by the ProxyCommand, and there after, start the ssh session to the target server contabo.

For more information, see the ssh man page or refer to: OpenSSH/Cookbxook/Proxies and Jump Hosts.

That’s all for now! In this article, we have demonstrated how to access a remote server via a jump host. Use the feedback form below to ask any questions or share your thoughts with us.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

Aaron Kili

Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

21 Responses

  1. Patrick Wilder says:

    I set up a simple version of this using bash scripts and ssh keys. I setup a hostA that can connect to hosts b – z using the ssh key (password less connection).

    The script must be run by root or sudo. you ssh to hostA then run the script. “sudo myman Hostname” this allows you to access the servers in the secure zone.

  2. Pablo says:

    ProxyJump contabo” doesn’t make sense, I think there a couple of errors on first static config file.

    Here are the changes I would make:

    s/vps1/jumphost1/
    s/ProxyJump contabo/ProxyJump vps1/  
    

    Source: https://unix.stackexchange.com/a/437909/209677

  3. viru says:

    In the above example lets say Host B has a webserver and we need to connect to it via browser from the localhost via the HostB, How to connect to a webserver via local port forwarding?

  4. Ravi Kumar says:

    Hello,

    What is Identifyfile? It should be identityfile

    NO one even noticed?

  5. Atheror says:

    There is a typo error “Proxy Command ssh -q -W %h:%p vps1” => “ProxyCommand ssh -q -W %h:%p vps1”

  6. tuxmartin says:

    [email protected]:~$ ssh -V
    OpenSSH_7.2p2 Ubuntu-4ubuntu2.5, OpenSSL 1.0.2g 1 Mar 2016
    [email protected]:~$
    [email protected]:~$ ssh -J
    unknown option -- J

    :-(

  7. Daniel Tripp says:

    I still get prompted for password on the destination machine – even though I’ve got my key stored on the jumphost.

    This doesn’t work for me:

    # ssh -J jumphost desthost (asks me for password on destination host)
    

    This does work :

    # ssh -A -t -l user1 jumphost \
    # ssh -A -t -l user2 deshost
    
  8. Jeff Hagen says:

    Why not use a hardened Windows Server in the DMZ? Then, after you RDP to it (using a PAM account), you’ll have access to a Windows GUI, a web browser, puTTy for CLI, etc. Security is essential in a DMZ, but having access to a good tool set can help application admins with the services they need.

  9. Rodrigo says:

    Great article.

    But you have used host1 and host2 along the whole article while the image that explain this show Host A and Host B.

  10. Mirzet says:

    I prefer ProxyJump vps1 => Simpler Syntax

Leave a Reply to andrew Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.