Using ProxyJump with SSH and SCP
It’s somewhat common to have what’s known as a “jump host” serve as an SSH gateway to a remote network. You use ssh to log into the jump host (or “jump server”) and from there use ssh to log into an internal host that’s not directly accessible from the Internet.
With the release of ssh version 7.3, the OpenSSH folks made it easier to do the jump and internal login in one step.
The Old Way
I’ve used the ProxyCommand for some time now, relying on nc to
push SSH traffic over an established tunnel. Without going into the
gory details, the process boils down to
- setting up an SSH session using the
-Doption to establish a SOCKS5 port-forwarding connection, - configuring SSH to use a
ProxyCommandto push traffic through the SOCKS5 connection.
It works reasonably well if you have a decent version of nc and
you’ll be using that SOCKS5 tunnel for several connections. You can
also use the SOCKS connection with web browsers to reach remote-internal
web servers.
The New Way
Sometimes, however, you may want to avoid the two-step process, or you may be on a host that doesn’t have all the tools you need for SOCKS connections.
The new -J (aka ProxyJump) command is tailor-made for you!
Here’s the basic invocation:
ssh -J your.jump.host remote.internal.host
You’ll end up logged into the remote internal host, and ssh automatically takes care of the intermediate step of logging into the jump host first.
You can even use it as an option for secure file copies:
scp -o 'ProxyJump your.jump.host' myfile.txt remote.internal.host:/my/dir
The file myfile.txt will end up in the /my/dir directory on
your remote internal host.