OpenSSH/Cookbook/Proxies and Jump Hosts

From Wikibooks, open books for an open world
Jump to: navigation, search


A proxy is an intermediary that forwards requests from clients to other servers. Performance improvement, load balancing, security or access control are some reasons they are used. Some proxies include caching to save bandwidth and increase speed by avoiding going out to the net to keep retrieving the same, unchanged documents.

SOCKS Proxy[edit]

It's possible to connect via an intermediate machine using a SOCKS proxy. SOCKS4 and SOCKS5 proxies are currently supported by OpenSSH. SOCKS5[1] allows transparent traversal, by an application, of a firewall or other barrier and can use strong authentication with help of GSS-API.Dynamic application-level port forwarding allows the outgoing port to be allocated on the fly thus creating a proxy at the TCP session level.

Here the web browser can connect to the SOCKS proxy on port 3555 on the local host:

$ ssh -D 3555 

Using ssh(1) as a SOCKS5 proxy, or in any other capacity where forwarding is used, you can specify multiple ports in one action:

$ ssh -D 80 -D 8080 -f -C -q -N

For example in Firefox, you'll also want the DNS requests to go via your proxy, so changing about:config needs network.proxy.socks_remote_dns set to true

It'll be similar for other programs that support SOCKS proxies.

You can tunnel samba over ssh(1), too.

Tunneling SSH Over Tor with Netcat[edit]

Instead of using ssh(1) as a SOCKS proxy, it is possible to tunnel the SSH protocol itself over a SOCKS proxy such as Tor. Tor is anonymity software and a corresponding network that uses relay hosts to conceal a user's location and network activity. Its architecture is intended to prevent surveillance and traffic analysis. Tor can be used in cases where it is important to conceal the point of origin of the SSH client.

On the end point that the client sees, Tor is a regular SOCKS5 proxy and can be used like any other SOCKS5 proxy. So this is tunneling SSH over a SOCKS proxy. For example, if Tor is installed locally and listening on a port, then SSH can run over Tor [2] using netcat:

$ ssh -o ProxyCommand="nc -X 5 -x localhost:9150 %h %p"

If the user name on the remote system is different from that on the local system, it is possible to pass along a different user name.

$ ssh -o User=fred -o ProxyCommand="nc -X 5 -x localhost:9150 %h %p"

When attempting a connection like this, it is very important that it does not leak information. In particular, the DNS lookup should occur over Tor and not be done by the client itself. Make sure that if VerifyHostKeyDNS is used that it be set to 'no'. The default is 'no' but check to be sure. It can be passed as a run-time argument to remove any doubt or uncertainty.

$ ssh -o "VerifyHostKeyDNS=no" -o ProxyCommand="nc -X 5 -x localhost:9150 %h %p"

Using the netcat-openbsd nc(1) package, this seems not to leak any DNS information. Other netcat packages might or might not be the same. It's also not clear if there are other ways in which this method might leak information. YMMV.

Jump Hosts -- Passing through a gateway or two[edit]

It is possible to connect to another host via one or more intermediaries so that the client can act as if the connection were direct.

There are two basic methods to choose from. The first is to use an SSH connection to port forward the SSH protocol through a jump host (or hosts) to an SSH server running on the target destination host. This is the most secure method because the traffic passing through the intermediate hosts is encrypted. But this method cannot be used if either the intermediate hosts or the target host deny port forwarding. Using the ProxyCommand option to invoke Netcat as the last connection in the chain is a variation of the port forwarding method. The second method passes the stdout of the SSH connection on the intermediate host to the stdin of the next SSH connection in the chain.

Attention must also be paid to whether or not the username changes from host to host in the chain of SSH connections. The netcat method does not allow a change of username. Other methods do.

When port forwarding is available the easiest way is to use ProxyJump in the configuration file or -J as a run-time parameter. (Of course you may also use the ProxyCommand ssh(1) option to invoke the netcat utility.) An example of -J usage is:

$ ssh -J

In older versions -J is not available. In this case the safest and most straightforward way is to use ssh(1)'s stdio forwarding (-W) mode to "bounce" the connection through an intermediate host.

$ ssh -o ProxyCommand="ssh -W %h:%p"

This approach supports port-forwarding without further tricks.

Yet older clients don't support the -W option. In this case ssh -tt may be used. This forces TTY allocation and passes the ssh traffic as though typed. To connect to server2 via firewall as the jump host:

$ ssh -tt ssh -tt

This opens an SSH terminal to the remote machine. You can also pass commands. For example, to reattach to a remote screen session using screen you can do the following:

$ ssh -tt ssh -tt screen -dR

The chain can be arbitrarily long and is not limited to just two hosts. The disadvantage of this approach over stdio-forwarding at the network layer with -W or -J is that your session, any forwarded agent, X11 server, or sockets are exposed to the intermediate hosts.

Port Forwarding Via a Single Intermediate Host[edit]

Tunneling, also called port forwarding, is when a port on one machine mapped to a connection to a port on another machine. In that way remote services can be accessed as if they were local. Or in the case of reverse port forwarding, vice verse. Forwarding can be done directly from one machine to another or via a machine in the middle.

Below we are setting up a tunnel from the localhost to machine2, which is behind a firewall, machine1. The tunnel will be via machine1 which is publicly accessible and also has access to machine2.

$ ssh -L

Next connecting to the tunnel will actually connect to the second host, machine2.

$ ssh -p 2222 remoteuser@localhost

That's it.

It is possible to use all the options in this way, such as -X for X11 forwarding. Here is an example of running rsync(1) between the two hosts using machine1 as an intermediary with the above setup.

$ rsync -av -e "ssh -p 2222"  /path/to/some/dir/   localhost:/path/to/some/dir/

SOCKS Proxy Via an Intermediate Host[edit]

If you want to open a SOCKS proxy via an intermediate host, it is possible:

$ ssh -L 8001:localhost:8002 -t ssh -D 8002

The client will see a SOCKS proxy on port 8001 on the local host, which is actually a connection to machine1 and traffic will ultimately enter and leave the net through machine2. Port 8001 on the local host connects to port 8002 on machine1 which is a SOCKS proxy to machine2. The port numbers can be chosen to be whatever you needed, but forwarding privileged ports still requires root privileges.

Passing Through One or More Gateways Using ProxyJump[edit]

Starting from OpenSSH 7.3[3], the easiest way to pass through one or more jump hosts is with the ProxyJump directive in ssh_config(5).

Host server2
        User fred

Multiple jump hosts can be specified as a comma-separated list. The hosts will be visited in the order listed.

Host server3
        User fred

It also has the shortcut of -J when using it as a run-time parameter.

$ ssh -J fred@

Multiple jump hosts can be chained in the same way.

$ ssh -J, fred@

It not possible to use both the ProxyJump and ProxyCommand directives in the same host configuration. The first one found is used and then the other blocked.

Old Methods of Passing Through Jump Hosts[edit]

In OpenSSH version 7.2 and earlier, passing through one or more gateways is more complex and requires use of stdio forwarding or, prior to 5.4, use of the netcat utility.

Passing Through a Gateway Using stdio Forwarding (Netcat Mode)[edit]

Between OpenSSH 5.4[4] and 7.2 inclusive, a 'netcat mode' can connect stdio on the client to a single port forwarded on the server. This can also be used to connect using ssh(1), but it needs the ProxyCommand option either as a run time parameter or as part of ~/.ssh/config. However, it no longer needs netcat to be installed on the intermediary machine(s). Here is an example of using it in a run time parameter.

$ ssh -o ProxyCommand="ssh -W %h:%p"

In that example, authentication will happen twice, first on the jump host and then on the final host where it will bring up a shell.

The syntax is the same if the gateway is identified in the configuration file. ssh(1) expands the full name of the gateway and the destination from the configuration file. The following allows the destination host to be reached by entering ssh server in the terminal.

Host server
        ProxyCommand ssh -W %h:%p

The same can be done for SFTP. Here the destination SFTP server can be reached by entering sftp sftpserver and the configuration file takes care of the rest. If there is a mix up with the final host key, then it is necessary to add in HostKeyAlias to explicitly name which key will be used to identify the destination system.

Host sftpserver
        ProxyCommand ssh -W %h:%p

It is possible to add the key for the gateway to the ssh-agent which you have running or else specify it in the configuration file. The option User refers to the user name on the destination. If the user is the same on both the destination and the originating machine, then it does not need to be used. If the user name is different on the gateway, then the -l option can be used in the ProxyCommand option. Here, the user 'fred' on the local machine, logs into the gateway as 'fred2' and into the destination server as 'fred3'.

Host server
        User fred3
        ProxyCommand ssh -l fred2 -i /home/fred/.ssh/rsa_key -W %h:%p

If both the gateway and destination are using keys, then the option IdentityFile in the config is used to point to the gateway's private key and the option IdentityFile specified on the commandline points at the destination's private key.

Host jump
        IdentityFile /home/fred/.ssh/rsa_key_2
        ProxyCommand ssh -i /home/fred/.ssh/rsa_key -W %h:%p

The old way prior to OpenSSH 5.4 used netcat, nc(1).

Host server
        ProxyCommand ssh nc %h %p

But that should not be used anymore and the netcat mode, provided by -W, should be used instead. The new way does not require netcat at all on any of the machines.

Recursively Chaining Gateways Using stdio Forwarding[edit]

The easy way to do this is with ProxyJump which is available starting with OpenSSH 7.3. For older versions, if the route always has the same hosts in the same order, then a straight forward chain can be put in the configuration file. Here three hosts are chained with the destination being given the shortcut machine3.

Host machine1
        User fred
        IdentityFile /home/fred/.ssh/machine1_e25519
        Port 2222

Host machine2
        User fred
        IdentityFile /home/fred/.ssh/machine2_e25519
        Port 2222
        ProxyCommand ssh -W %h:%p machine1

Host machine3
        User fred
        IdentityFile /home/fred/.ssh/machine3_e25519
        Port 2222
        ProxyCommand ssh -W %h:%p machine2

Thus any machine in the chain can be reached with a single line. For example, the final machine can be reached with ssh machine3 and worked with as normal. This includes port forwarding and any other capabilities.

Only hostname and, for second and subsequent hosts, ProxyCommand are needed for each Host directive. If keys are not used, then IdentityFile is not needed. If the user is the same for all hosts, the that can be skipped. And if the port is the default, then Port can be skipped. If using many keys in the agent at the same time and the error "too many authentication" pops up on the client end, it might be necessary to add IdentitiesOnly yes to each host's configuation.

Recursively Chaining an Arbitrary Number of Hosts[edit]

Again, the easy way to do this is with ProxyJump which is available starting with OpenSSH 7.3. For older versions, it is possible to make the configuration more abstract and allow passing through an arbitrary number of gateways. You can set the user name with -l thanks to the %r@, but that user name will be used for all host that you connect to or through. There are limitations resulbting from using the slash as a separator, as there would be with other symbols. However, it allows use of dirname(1) and basename(1) to process the host names.

Host */* 
        ProxyCommand ssh %r@$(dirname %h) -W $(basename %h):%p

In this way hosts are separated with a slash (/) and can be arbitrary in number[5].

$ ssh host1/host2/host3/host4

If keys are to be used then load them into an agent, then the client figures them out automatically if agent forwarding with the -A option is used. However, agent forwarding is considered by many to be a security flaw and a general misfeature. However, because the default for MaxAuthTries on the server is 6, using keys normally in an agent will limit the number of keys or hops to 6, with server-side logging getting triggered after half that.

The following configuration uses sed(1) to allow different port numbers and user names using the plus sign (+) as the delimiter for hosts, a colon (:) for ports, and an percentage sign (%) for user names. The basic structure is ssh -W $() $() and where %h is substituted for the target host name.

Host *+*
        ProxyCommand ssh -W $(echo %h | sed 's/^.*+//;s/^\([^:]*$\)/\1:22/') $(echo %h | sed 's/+[^+]*$//;s/\([^+%%]*\)%%\([^+]*\)$/\2 -l \1/;s/:\([^:+]*\)$/ -p \1/')

The port can be left off for the default of 22 or delimited with a colon (:) for non-standard values[6].

$ ssh host1+host2:2022+host3:2224

As-is, the colons confound sftp(1), so the above configuration will only work with it using standard ports. If sftp(1) is needed on non-standard ports then another delimiter, such as an underscore (_), can be configured.

Any user name except the final one can be specified for a given host using the designated delimiter, in the above it is a percentage sign (%). The destination host's user name is specified with -l and all others can be joined to their corresponding host name with the delimiter.

$ ssh -l user3 user1%host1+user2%host2+host3

If user names are specified, depending on the delimiter, ssh(1) can be unable to match the final host to an IP number and the key fingerprint in known_hosts. In such cases, it will ask for verification each time the connection is established, but this should not be a problem if either the equal sign (=) or percentage sign (%) is used.

ProxyCommand with Netcat[edit]

Another way, needed for OpenSSH 5.3 and older, is to use the ProxyCommand configuration directive and netcat. The utility nc(1) is for reading and writing network connections directly. It can be used to pass connections onward to a second machine. In this case, login is the final destination reached via the intermediary jumphost.

$ ssh -o 'ProxyCommand ssh %h nc 22' \
      -o '' \

Keys and different login names can also be used. Using ProxyCommand, ssh(1) will first connect to jumphost and then from there to The HostKeyAlias directive is needed to look up the right key for, without it the key for jumphost will be tried and that will, of course, fail unless both have the same keys. The account user2 exists on jumphost.

$ ssh -o 'ProxyCommand ssh -i key-rsa -l user2 %h nc 22' \
      -o '' \

It's also possible to make this arrangement more permanent and reduce typing by editing ssh_config Here a connection is made to host2 via host1:

        ProxyCommand ssh nc %h %p

Here a connection is made to server2 via server1 using the shortcut name 'jump'.

Host jump
        ProxyCommand ssh %h nc 22
        User fred

It can be made more general:

        ProxyCommand none

Host * my-private-host
        ProxyCommand ssh nc %h %p

The same can be done with sftp(1) by passing parameters on to ssh(1). Here is a simple example with sftp(1) where machine1 is the jump host to connect to machine2. The user name is the same for both hosts.

$ sftp -o 'ProxyCommand=ssh %h nc 22' \
       -o '' \

Here is a more complex example using a key for server1 but regular password-based login for the SFTP server.

$ sftp -o 'ProxyCommand ssh -i /Volumes/Home/fred/.ssh/server1_rsa \
       -l user2 nc 22'   \
       -o ''

If the user accounts names are different on the two machines, that works, too. Here, 'user2' is the account on the second machine which is the final target. The user 'fred' is the account on the intermediary or jump host.

$ ssh -l user2 \
      -o 'ProxyCommand ssh -l fred %h nc 22' \
      -o 'HostKeyAlias' \

Passing Through a Gateway with an Ad Hoc VPN[edit]

Two subnets can be connected over SSH by configuring the network routing on the end points to use the tunnel. The result is a VPN. A drawback is that root access is needed on both hosts, or at least sudo(8) access to ifconfig(8) and route(8). Note, there are very few instances where use of a VPN is legitimately called for, not because VPNs are illegal (quite they opposite, indeed data protection laws in many countries make them absolutely compulsory to protect content in transit) but simply because OpenSSH is usually flexible enough to complete most routine sysadmin and operational tasks using normal SSH methods as and when required. This SSH ad-hoc VPN method is therefore needed only very rarely.

Take this example with two networks. One network has the address range through The other has the address range through Each has a machine, and respectively, that will function as a gateway. Local machine numbering starts with 3 because 2 will be used for the tunnel interfaces on each LAN.

              + =====    +
              |                                   |                                   +---
              |                                   |                                   +---
              |                                   |                                   +---
              |                                   |
10.0.50.etc---+                                   +---172.16.99.etc
              |                                   |                                   +---

First a tun device is created on each machine, a virtual network device for point-to-point IP tunneling. Then the tun interfaces on these two gateways are then connected by an SSH tunnel. Each tun interface is assigned an IP address.

The tunnel connects machines and to each other, and each are already connected to their own local area network (LAN). Here is a VPN with the client as, remote as First, set on the client:

$ ssh -f -w 0:1 true
$ ifconfig tun0 netmask
$ route add

On the server:

$ ifconfig tun1 netmask
$ route add



  1. "SOCKS Protocol version 5". IETF. Retrieved 2011-02-17. 
  2. "SSH Over Tor". The Tor Project. 2012-08-28. Retrieved 2013-05-04. 
  3. "OpenSSH 7.3 Release Notes". OpenSSH. 2016-08-01. Retrieved 2016-08-01. 
  4. "OpenSSH 5.4 Release Notes". OpenSSH. 2010-04-07. Retrieved 2013-04-19. 
  5. Josh Hoblitt (2011-09-03). "Recursively chaining SSH ProxyCommand". [Read This Fine Material] from Joshua Hoblitt. Retrieved 2014-02-14. 
  6. Mike Hommey (2016-02-08). "SSH through jump hosts, revisited". glandium. Retrieved 2016-02-09.