How to Connect Remote Linux via SSH ProxyJump and ProxyCommand

Brief: In this guide, we demonstrate how to use SSH ProxyJump and SSH ProxyCommand commands when connecting to a jump server.

In our previous guide on how to set up an SSH Jump Server, we covered the concept of a Bastion Host. A Bastion host or a Jump Server is an intermediary device that an SSH client connects to first before accessing the target remote Linux system. An SSH Jump server acts as a gateway to your IT resources, thus reducing the attack surface.

The SSH ProxyJump and ProxyCommand commands determine how a client connects to the remote server via the jump server, jump host, or bastion server.

This guide shines the spotlight on the SSH ProxyJump and SSH Proxy Command in Linux.

Connect Remote Linux Using SSH ProxyJump Command

The ProxyJump command is denoted with the -J flag. It was introduced in OpenSSH server version 7.3 and helps you make a connection to a remote target by skipping through a bastion or a jump server.

The syntax below shows how this option is used:

$ ssh -J <jump-server> <remote-target>

In the case of multiple bastion or jump servers, the syntax takes the following format.

$ ssh -J <jump-server-1> <jump-server-2> <remote-target>

In both cases, you will be logged in as the root user every step of the way. This is not ideal due to security reasons, so you might want to create different users in every instance.

You can explicitly specify different users and SSH ports as shown.

$ ssh -J <[email protected]:port> <[email protected]:port>

To demonstrate the ProxyJump flag in action, we have a simple setup as shown.

Jump Server IP:		User: james
Remote Target IP:		User: tecmint

To connect to the remote target using the Jump server, the command will look as follows.

$ ssh -J [email protected] [email protected]

The command will prompt you for the jump server’s user password, then followed thereafter by the target system’s password upon which you will be granted access to the target system.

Connect Linux Using Jump Server
Connect Linux Using Jump Server

Configuring Proxy Hosts in the ~/.ssh/config File

If you regularly use a specific bastion to connect to a specific remote target, you can append the following ProxyJump configuration in the ~/.ssh/config file to make the connection seamless. When this happens, you will only be authenticated once and this happens only on the remote target.

Host host-jump
User james

Host host_destination
User tecmint
Port 22

Using the above configuration, you can make the connection to the target as shown.

$ ssh -J host_destination
SSH to Remote Linux via ProxyJump
SSH to Remote Linux via ProxyJump

Connect Remote Linux Using SSH ProxyCommand Command

Before SSH Proxy Jump, ProxyCommand was the only way of jumping hosts to reach the remote target. It works by forwarding the stdin (standard in) and stdout (standard out) from the remote target through the jump server or bastion.

The ProxyCommand takes the following syntax.

$ ssh -o ProxyCommand="ssh -W %h:%p <jump server>" <remote target>

Here, the -W to the %h:%p arguments forward the stdin and out to the remote host (%h) and the remote host’s port (%p).

To put the command into action, this is how our command would look like

$ ssh -o ProxyCommand="ssh -W %h:%p"
Connect Linux Using ProxyCommand
Connect Linux Using ProxyCommand

Configuring ProxyCommand in the ~/.ssh/config File

Of course, typing the whole command is tedious and time-consuming. To avoid typing such a lengthy command, add the following lines of code to your ~/.ssh/config file.

Host host-destination
ProxyCommand ssh -q -W %h:%p host-jump

Save and exit.

Now all you have to do is run the following command to connect to the remote server.

$ ssh host-destination

In this guide, we demonstrated how ProxyJump and ProxyCommand commands work. Generally, ProxyJump comes off as a better alternative to ProxyCommand and provides an easier and seamless way to connect to a remote target through a jump host.

If you read this far, tweet to the author to show them you care. Tweet a thanks
James Kiarie
This is James, a certified Linux administrator and a tech enthusiast who loves keeping in touch with emerging trends in the tech world. When I'm not running commands on the terminal, I'm taking listening to some cool music. taking a casual stroll or watching a nice movie.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.