Using ProxyJump with SSH and SCP

It’s somewhat common to have what’s known as a “jump host” serve as an SSH gateway to a remote network. You use ssh to log into the jump host (or “jump server”) and from there use ssh to log into an internal host that’s not directly accessible from the Internet.

With the release of ssh version 7.3, the OpenSSH folks made it easier to do the jump and internal login in one step.

The Old Way

I’ve used the ProxyCommand for some time now, relying on nc to push SSH traffic over an established tunnel. Without going into the gory details, the process boils down to

  • setting up an SSH session using the -D option to establish a SOCKS5 port-forwarding connection,
  • configuring SSH to use a ProxyCommand to push traffic through the SOCKS5 connection.

It works reasonably well if you have a decent version of nc and you’ll be using that SOCKS5 tunnel for several connections. You can also use the SOCKS connection with web browsers to reach remote-internal web servers.

The New Way

Sometimes, however, you may want to avoid the two-step process, or you may be on a host that doesn’t have all the tools you need for SOCKS connections.

The new -J (aka ProxyJump) command is tailor-made for you! Here’s the basic invocation:

ssh -J your.jump.host remote.internal.host

You’ll end up logged into the remote internal host, and ssh automatically takes care of the intermediate step of logging into the jump host first.

You can even use it as an option for secure file copies:

scp -o 'ProxyJump your.jump.host' myfile.txt remote.internal.host:/my/dir

The file myfile.txt will end up in the /my/dir directory on your remote internal host.

Networking