Featured image of post ProxyJump
Linux Technology

ProxyJump

… from the black magic voodoo ssh box of the tech priests …

TL;DR section at the end

I’m writing this post as an ode to the ProxyJump functionality of ssh, one of the many little helpers that make your day awesome.
If you are working on multiple computers in different companies/networks at some point you encounter the scenario, where you want to access a computer, that is only reachable via another computer. Let’s say, you need to access your office computer names datenhalde from home, but datenhalde is behind a company ssh gateway server (called gateway). On a Friday you decide that it’s a day where you want to work without interrupts from home (Your computer zuhause). Perhaps you just brewed a nice cup of coffee and start your work …

phoenix@zuhause $ ssh gateway
Last login: Tue Aug 27 17:42:20 2019 from 1.2.3.4
phoenix@gateway $ ssh datenhalde
Last login: Mon Aug 26 09:31:52 2019 from 192.168.22.72
phoenix@datenhalde $

At some point, you might find it unnecessary and boring to always type ssh gateway followed by a sip of your coffee and then a ssh datenhalde and you wonder, if there is not a more convenient way, to directly access datenhalde from zuhause via gateway, but without the fuzz of redundant ssh typing.

This is where ProxyJump comes into play. Use the -J parameter

phoenix@zuhause $ ssh -J gateway datenhalde
Last login: Mon Aug 26 09:31:52 2019 from 192.168.22.72
phoenix@datenhalde $

Here ssh connects first to gateway and from there then to datenhalde in one single command. Awesome!

# ssh config for even more convenience

Even better, you can put the ProxyJump into your ssh-config, so every time you access a host, if first jumps to the given gateway host and then to the destination. Too complicated formulated? Just look at the following example

# ~/.ssh/config

HOST datenhalte
  HOSTNAME datenhalde
  PROXYJUMP gateway

Now, if you connect to datenhalde via ssh, it automatically and transparently first connects to gateway and then jumpt from there to datenhalde. This configuration then applies to all protocols that are building atop ssh, like scp, rsync or even libvirt.

phoenix@zuhause $ ssh datenhalde
Last login: Mon Aug 26 09:31:52 2019 from 192.168.22.72
phoenix@datenhalde $

# TL;DR

Want to connect to your working computer datenhalde via a ssh gateway in one single command?

ssh -J gateway datenhalde

Want to configure your ssh-configuration to always jump to gateway before connecting to datenhalde?

# ~/.ssh/config
HOST datenhalte
  HOSTNAME datenhalde
  PROXYJUMP gateway

Then your ssh connections will transparently always jump over gateway

ssh datenhalde

# ProxyJump for the glory!

ProxyJump is a ssh feature for the tech priests, and it’s imperative that every adept of the Adeptus Mechanicus shall be able to handle it. The Adeptus Mechanicus recommends ssh.

Linux Ssh
Licensed under CC BY-NC-SA 4.0
Last updated on Aug 27, 2019 14:19 UTC