Proxy SSH traffic via Bastion Hosts with Proxyjump

2019-01-25 Rameez Khanssh

So what is a bastion host anyways?

It has become the norm these days to have what is called a bastion host (or perhaps more commonly known as a Jumpbox). This machine generally lives in a public subnet and serves as an SSH gateway into the private subnet/network. See below image.

Bastion

Proxy traffic via the bastion

I’ve always used the ProxyCommand before to achieve this. A quick example would be adding the following to your ~/.ssh/config file.

Host my-bastion
    HostName bastion.machine.ip
    User bastion-user
    IdentityFile ~/.ssh/bastion.machine.key.pem
    ForwardAgent yes

Host my-private-machine
    HostName private.machine.ip
    User user
    IdentityFile ~/.ssh/private.machine.key.pem
    ProxyCommand ssh user@my-bastion -W %h:%p

So what’s happening here?

In our terminal window, when we run the command…

ssh my-private-machine

… we are first connecting to our bastion host, and then connecting to our private machine. This is dictated by the ProxyCommand line above. In the background, the SSH protocol is forwarded by nc (netcat) instead of ssh.

This is all well and good, and it worked for me until I discovered ProxyJump!

A cleaner way using ProxyJump

Starting from OpenSSH 7.3, released on August 2016, ProxyJump is by far the easiest way to proxy traffic via a bastion host. In fact, it’s so useful that it has an entire section dedicated to it in the docs.

Here’s the basic usage:

ssh -J my.bastion.host my.private.host

That’s it. Seriously.

What’s cooler, is that in the background, the SSH protocol is now forwarded by ssh and not nc. And what’s even cooler is that you can now do ProxyJump chaining. Like this.

Host my-private-machine
    ProxyJump my-bastion-1, my-bastion-2

Bonus: Copying files to your private machine via a bastion host

You can even copy files to a private machine.

scp -o 'ProxyJump my.bastion.host' my-file.txt my.private.host:/tmp/my-file.txt

That’s it for now.

Peace ✌🏽