Companies often use a SSH jump host (also sometimes called a Bastion server) which then allows to connect to additional SSH servers in the internal networks. This is a system architecture to improve security and to significantly reduce the (public) attack surface.
To connect to the target server, there are two SSH connections necessary:
1) SSH connection to the jump host
2) SSH connection from the jump host to the target server
By using SSH key authentication and agent forwarding, the private key from the SSH client is used in the second SSH connection, too. This is how this looks in a practical way:
# Add private key to ssh-agent:
ck@mint ~ $ ssh-add /home/ck/.ssh/id_rsa
Enter passphrase for /home/ck/.ssh/id_rsa: ********************
Identity added: /home/ck/.ssh/id_rsa (/home/ck/.ssh/id_rsa)
# SSH connection to jump host (-A for SSH agent forwarding):
ck@mint ~ $ ssh jumphost.example.com -A
# SSH connection from jump host to the target server
ck@jumphost:~$ ssh targetserver.corp.internal
ck@targetserver:~$
Although this works, it always requires to first connect to the jumphost, enter the ssh connection settings to the target server, therefore doing twice the "work" of establishing a SSH connection.
Another problem is doing file transfers using scp or sftp. The files first need to be transferred from the target server to the jump host and then from the jump host to the ssh client.
Wouldn't it be nice, if this ssh jumping would be handled automatically in the background?
With the release of OpenSSH 7.3 in August 2016 a new feature was added:
* ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".
Although many years have passed since this release, the ProxyJump config option (or -J command line parameter) is not known to many SSH users. At least it was not known to me, having used SSH since at least 2005.
By using this parameter, we can define the jump host in the same command as we connect to the target server:
ck@mint ~ $ ssh admin@targetserver.corp.internal -J ck@jumphost.example.com
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-67-generic x86_64)
[...]
In the above example, I want to connect as "admin" user to the targetserver in the internal network. The login on the jump server uses my own username "ck".
But instead of typing the jump host setting for every ssh connection, this can also be defined in the ssh (client) config.
ck@mint ~ $ tail .ssh/config
Host *.corp.internal
User admin
IdentityFile ~/.ssh/id_rsa
ProxyJump jumphost.example.com
With that config in place, we can now use ssh to "directly" connect to the target server:
ck@mint ~ $ ssh targetserver.corp.internal
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-67-generic x86_64)
[...]
admintargetserver:~$ hostname
targetserver
Of course this still uses the jump host in the background, but to you and me as user on the SSH client it looks like a single connection.
The same "single connection" also works for file transfers. Instead of copying a file from the target server twice, we can directly transfer it (via jump host in the background) to our local SSH client:
ck@mint ~ $ scp targetserver.corp.internal:/tmp/xxx .
xxx 100% 0 0.0KB/s 00:00
I mentioned above, I have been using SSH connections since at least 2005. In the last couple of years I have come across a lot of systems and networks with a SSH jump host. Having successfully tested the ProxyJump SSH option now, I experienced this rare "WOW!" moment. I wish I came across this very handy ProxyJump option sooner, it would have saved me so much time (doing ssh connection twice) and would have saved me many troubles with file transfers.
Definitely happy now, knowing future SSH sessions via a jump host will be faster and easier.
ck from Switzerland wrote on Mar 23rd, 2023:
draugas, sorry, no idea - I do not know teleport.
draugas from Vilnius wrote on Mar 22nd, 2023:
any way use jump throughout teleport?
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder