October 2, 2023
Frequently, application servers will be set up with security restrictions that disallow direct SSH access and will only respond to SSH connections from within their local network. Typically, a dedicated server called a “jump box” is established which does allow SSH access from anywhere. To connect to an application server, you first SSH into the jump box, and then SSH into the application server from the jump box. This is a good security practice, as the IP of the jump box can be kept a secret (so attackers wouldn’t even know where to try to break in), and there is only one SSH entrypoint to protect.
But it makes it more complicated when a developer needs to SSH into an application server.
You could, of course, just SSH into the jump box and then SSH into the application server. But then you’re only allowed to use the utilities present on the application server. Hope you’re good at using Vim without any IDE features.
In the past I’ve used SSH tunneling to solve this. Essentially, I connect to the jump box with a command that tells SSH to map a certain port on my machine to a certain port on the application server, with the jump box as the middleman. And every time I do this I need to look up the syntax. It’s annoying, and I hate it.
Yeah. So… in 2016 OpenSSH 7.3 introduced the
ProxyJump configuration option. It makes this super easy.
Just open up your
~/.ssh/config file, and add two entries — one for the jump box, and one for the application server.
Host JumpBox HostName jump-box-hostname-or-ip User jump-box-username Host AppServer HostName app-server-hostname-or-ip User app-server-username
So far, pretty standard. This will allow you to type
ssh JumpBox and connect to the jump box. But you still can’t connect to the app server with
ssh AppServer because you aren’t allowed to connect directly.
But watch this:
Host AppServer HostName app-server-hostname-or-ip User app-server-username ProxyJump JumpBox
That one line at the end just says “hey, don’t connect to
AppServer directly — connect to it through the
ssh AppServer and you’re in. And if you’re using an SFTP client that respects your SSH config, you can just point it at
AppServer and start editing files directly on that protected app server.
And if you’d like to use a jump box on the fly, without editing your SSH config, you can do that with the
ssh -J user@jump-box-host user@app-server-host
I sure wish I’d learned this five years ago when macOS’s version of OpenSSH started supporting it.