Want to connect to a machine that isn’t directly exposed to the internet? You can achieve this by using the jump host feature built into ssh.
Command line argument
You can use the -J option with SSH to specify a jump host directly in the command line:
ssh -J jump.example.com dest.example.com
This command routes your SSH connection through the jump host to reach your final target.
Agent Forwarding
By combining this with the -A argument, you can allow the jump server to use your local machines ssh agent to authenticate with the target server. This removes the need to re-authenticate by adding your private SSH key to the jump server or reentering a login password. While convenient, agent forwarding should be used with caution. Ensure that you trust the jump server and its security, as it gains the ability to access your authentication credentials. Although the target server cannot directly see your private SSH key, it can authenticate on your behalf while you are connected.
ssh -A -J jump.example.com dest.example.com
Persistent Config
Don’t feel like typing out that whole command each time? Forget writing a bash script, you can also setup jump-hosts by modifying your ~/.ssh/config file. This way your jump host settings will persist across connections without having to specify the -J or -A arguments every time.
Host dest.example.com
ProxyJump jump.example.com
ForwardAgent yes
Now you should be able to connect to the machine as if it were directly accessible.
ssh dest.example.com
Using host matching with wildcards
If you have multiple machines on a network where only one is exposed to the wider public internet, you can use a wildcard match. The Match directive was introduced in OpenSSH 5.1 and enables more advanced configurations and offers additional flexibility.
Match host *.example.com !host jump.example.com
ProxyJump jump.example.com
🛈 Note: It is very important to remember to exclude the jump host machine from the wildcard pattern match. Otherwise you will encounter issues with host looping, rendering it impossible to connect to that machine.
!host jump.example.com
With this configuration, you’ll be able to connect seamlessly to any subdomain host name machine while routing through your jump host.
You can also add ForwardAgent yes to the wildcard entry in your SSH configuration to apply agent forwarding to multiple hosts. However, be extra cautious using this with wildcard matching, as it could unintentionally enable agent forwarding for an unintended host, potentially increasing security risks.
Final Thoughts
SSH configs allow all sorts of advanced configurations that can make your life easier. Jump hosts are a super powerful feature that can enhance your workflow with remote machines. Consider combining this with other config options such as User and ForwardX11 or ForwardAgent to further streamline your SSH experience, improving both convenience and security.