-->
October 2, 2023
Frequently, application servers will be set up with security restrictions that disallow direct SSH access and will only respond to SSH connections from within their local network. Typically, a dedicated server called a “jump box” is established which does allow SSH access from anywhere. To connect to an application server, you first SSH into the jump box, and then SSH into the application server from the jump box. This is a good security practice, as the IP of the jump box can be kept a secret (so attackers wouldn’t even know where to try to break in), and there is only one SSH entrypoint to protect.
But it makes it more complicated when a developer needs to SSH into an application server.
You could, of course, just SSH into the jump box and then SSH into the application server. But then you’re only allowed to use the utilities present on the application server. Hope you’re good at using Vim without any IDE features.
In the past I’ve used SSH tunneling to solve this. Essentially, I connect to the jump box with a command that tells SSH to map a certain port on my machine to a certain port on the application server, with the jump box as the middleman. And every time I do this I need to look up the syntax. It’s annoying, and I hate it.
Yeah. So… in 2016 OpenSSH 7.3 introduced the ProxyJump
configuration option. It makes this super easy.
Just open up your ~/.ssh/config
file, and add two entries — one for the jump box, and one for the application server.
Host JumpBox
HostName jump-box-hostname-or-ip
User jump-box-username
Host AppServer
HostName app-server-hostname-or-ip
User app-server-username
So far, pretty standard. This will allow you to type ssh JumpBox
and connect to the jump box. But you still can’t connect to the app server with ssh AppServer
because you aren’t allowed to connect directly.
But watch this:
Host AppServer
HostName app-server-hostname-or-ip
User app-server-username
ProxyJump JumpBox
That one line at the end just says “hey, don’t connect to AppServer
directly — connect to it through the JumpBox
connection”.
Type ssh AppServer
and you’re in. And if you’re using an SFTP client that respects your SSH config, you can just point it at AppServer
and start editing files directly on that protected app server.
And if you’d like to use a jump box on the fly, without editing your SSH config, you can do that with the -J
flag:
ssh -J user@jump-box-host user@app-server-host
I sure wish I’d learned this five years ago when macOS’s version of OpenSSH started supporting it.