The concept of bastion hosts is nothing new to computing. Bastion hosts are usually public-facing, hardened systems that serve as an entry point to systems behind a firewall or other restricted location, and they are especially popular with the rise of cloud computing.
ssh command has an easy way to make use of bastion hosts to connect to a remote host with a single command. Instead of first SSHing to the bastion host and then using
ssh on the bastion to connect to the remote host,
ssh can create the initial and second connections itself by using
ProxyJump, or the
-J flag, was introduced in
ssh version 7.3. To use it, specify the bastion host to connect through after the
-J flag, plus the remote host:
$ ssh -J <bastion-host> <remote-host>
You can also set specific usernames and ports if they differ between the hosts:
$ ssh -J user@<bastion:port> <user@remote:port>
ssh man (or manual) page (
man ssh) notes that multiple, comma-separated hostnames can be specified to jump through a series of hosts:
$ ssh -J <bastion1>,<bastion2> <remote>
This feature is useful if there are multiple levels of separation between a bastion and the final remote host. For example, a public bastion host giving access to a “web tier” set of hosts, within which is a further protected “database tier” group might be accessed.
Hard-coding proxy hosts in
-J flag provides flexibiltiy for easily specifying proxy and remote hosts as needed, but if a specific bastion host is regularly used to connect to a specific remote host, the
ProxyJump configuration can be set in
~/.ssh/config to automatically make the connection to the bastion en-route to the remote host:
### The Bastion Host Host bastion-host-nickname HostName bastion-hostname ### The Remote Host Host remote-host-nickname HostName remote-hostname ProxyJump bastion-host-nickname
Using the example configuration above, when an
ssh connection is made like so:
$ ssh remote-host-nickname
ssh command first creates a connection to the bastion host
bastion-hostname (the host referenced, by nickname, in the remote host’s
ProxyJump settings) before connecting to the remote host.
An alternative: Forwarding stdin and stdout
ProxyJump is the simplified way to use a feature that
ssh has had for a long time:
ProxyCommand works by forwarding standard in (stdin) and standard out (stdout) from the remote machine though the proxy or bastion hosts.
ProxyCommand itself is a specific command used to connect to a remote server—in the case of the earlier example, that would be the manual
ssh command used to first connect to the bastion:
$ ssh -o ProxyCommand="ssh -W %h:%p bastion-host" remote-host
%h:%p arguments to the
-W flag above specify to forward standard in and out to the remote host (
%h) and the remote host’s port (
ProxyCommand can be set in the
~/.ssh/config file for hosts that always use this configuration:
Host remote-host ProxyCommand ssh bastion-host -W %h:%p
With this setting in
ssh connection to the remote host is accomplished by forwarding stdin and stdout through a secure connection from
ssh command is a powerful tool. While it might mostly be used in its simplest form,
ssh user@hostname, there are literally dozens of uses, with flags and configurations to make connections from one host to another. Check out
ssh‘s manual page (
man ssh) sometime to discover all of the different options available with this seemingly simple program.
We want to hear your thoughts about this. Is there anything in particular that you love about it? What can we do to improve our services and experience? Leave a comment below or open a ticket on our helpdesk and we’ll personally review all suggestions and feedback.
Since it was founded in 2015, Servercheap has always strived to provide its clients with enterprise-level performance at an unbeatable cost. Servercheap offers a wide range of customizable hybrid and virtual private server hosting services. All Servercheap clients enjoy a 99.9% uptime SLA and 24/7 rapid response support team.
At Servercheap, our core directive has always been to provide our clients with the best services and infrastructure possible, whether you’re hosting a game server, a high-intensity database, a development environment, or anything in-between.
For more information, visit https://www.servercheap.net