SSH through jump hosts, revisited

Close to 7 years ago, I wrote about SSH through jump hosts. Twice. While the method used back then still works, Openssh has grown an new option in version 5.3 that allows it to be simplified a bit, by not using nc.

So here is an updated rule, version 2016:

Host *+*
ProxyCommand ssh -W $(echo %h | sed 's/^.*+//;s/^\([^:]*$\)/\1:22/') $(echo %h | sed 's/+[^+]*$//;s/\([^+%%]*\)%%\([^+]*\)$/\2 -l \1/;s/:\([^:+]*\)$/ -p \1/')

The syntax you can use to connect through jump hosts hasn’t changed compared to previous blog posts:

  • With one jump host:
    $ ssh login1%host1:port1+host2:port2 -l login2
  • With two jump hosts:
    $ ssh login1%host1:port1+login2%host2:port2+host3:port3 -l login3
  • With three jump hosts:
    $ ssh login1%host1:port1+login2%host2:port2+login3%host3:port3+host4:port4 -l login4
  • etc.

Logins and ports can be omitted.

Update: Add missing port to -W flag when one is not given.

2016-02-08 00:26:53+0900

p.d.o, p.m.o

Responses are currently closed, but you can trackback from your own site.

5 Responses to “SSH through jump hosts, revisited”

  1. jimmy Says:

    you might like:

    https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Safer_alternative_to_SSH_agent_forwarding

    or want to add your method to it

  2. Dirk Says:

    It might be a pain to change the host1, if this is needed for more than a few hosts. SSH can by itself combine ProxyCommands:

    Host1 Hostname DirectIP

    Host2 ProxyCommand via Host1

    Host3 ProxyCommand via Host2

    Does it make more maintainable. See here some examples (Yes I know netcat shouldn’t be used anymore, but the setup matters) http://sshmenu.sourceforge.net/articles/transparent-mulithop.html

  3. Tomáš Janoušek Says:

    Omitting ports doesn’t seem to work, I did “ssh host1+host2” and ssh said Bad stdio forwarding specification ‘host2’.

  4. Ludovic Says:

    What’s wrong with -A ?

  5. glandium Says:

    Dirk: The configuration proposed in my post is more useful for one-offs.

    Tomáš: Fixed, thanks.

    Ludovic: -A gives access to your agent to the jump host. Do you trust the jump host not to use it?