TIL: SSH Jump Host
The jump host is an option of the SSH client, that allows to use a third SSH server as "proxy" to access the final intended SSH server
Last week I needed to access a remote server to do some maintenance but I couldn’t connect via SSH. The problem was that I had configured the SSH server to listen to a custom port and the network I was connected to had a very strict firewall configuration that blocked outbound SSH on ports different than 22.
How could I bypass the firewall? Yes, I could SSH on another host on port 22 and then access my final destination from here.
But I didn’t want to mess with SSH keys.
Then I discovered that this use case is actually considered by SSH: there is a simple option that allows to specify jump hosts, namely hosts that are in-between you and your final destination.
By specifying a jump host we realize a proxy behavior.
Usage
Let’s see the man
pages:
[...]
-J destination
Connect to the target host by first making a ssh connection to the jump host
described by destination and then establishing a TCP forwarding to the
ultimate destination from there. Multiple jump hops may be
specified separated by comma characters. This is a shortcut to specify a
ProxyJump configuration directive. Note that configuration directives
supplied on the command-line generally apply to the destination
host and not any specified jump hosts. Use ~/.ssh/config to specify
configuration for jump hosts.
[...]
We can use jump hosts in this way:
ssh -J jump final
Where jump
is the jump host and final
is the final SSH server.
For example:
ssh -J user@myserveron22 user@myserveroncustomport
Since the only thing that the firewall sees is that I’m SSH-ing on port 22, it is allowed.