The concept of bastion hosts is nothing new to computing. Baston hosts are usually public-facing, hardened systems that serve as an entrypoint to systems behind a firewall or other restricted location, and they are especially popular with the rise of cloud computing.
The ssh
command has an easy way to make use of bastion hosts to connect to a remote host with a single command. Instead of first SSHing to the bastion host and then using ssh
on the bastion to connect to the remote host, ssh
can create the initial and second connections itself by using ProxyJump
.
ProxyJump
The ProxyJump
, or the -J
flag, was introduced in ssh
version 7.3. To use it, specify the bastion host to connect through after the -J
flag, plus the remote host:
$ ssh -J <bastion-host> <remote-host>
You can also set specific usernames and ports if they differ between the hosts:
$ ssh -J user@<bastion:port> <user@remote:port>
The ssh
man (or manual) page (man ssh
) notes that multiple, comma-separated hostnames can be specified to jump through a series of hosts:
$ ssh -J <bastion1>,<bastion2> <remote>
This feature is useful if there are multiple levels of separation between a bastion and the final remote host. For example, a public bastion host giving access to a "web tier" set of hosts, within which is a further protected "database tier" group might be accessed.
Hard-coding proxy hosts in ~/.ssh/config
The -J
flag provides flexibiltiy for easily specifying proxy and remote hosts as needed, but if a specific bastion host is regularly used to connect to a specific remote host, the ProxyJump
configuration can be set in ~/.ssh/config
to automatically make the connection to the bastion en-route to the remote host:
### The Bastion Host
Host bastion-host-nickname
HostName bastion-hostname
### The Remote Host
Host remote-host-nickname
HostName remote-hostname
ProxyJump bastion-host-nickname
Using the example configuration above, when an ssh
connection is made like so:
$ ssh remote-host-nickname
The ssh
command first creates a connection to the bastion host bastion-hostname
(the host referenced, by nickname, in the remote host’s ProxyJump
settings) before connecting to the remote host.
An alternative: Forwarding stdin and stdout
ProxyJump
is the simplified way to use a feature that ssh
has had for a long time: ProxyCommand
. ProxyCommand
works by forwarding standard in (stdin) and standard out (stdout) from the remote machine through the proxy or bastion hosts.
The ProxyCommand
itself is a specific command used to connect to a remote server—in the case of the earlier example, that would be the manual ssh
command used to first connect to the bastion:
$ ssh -o ProxyCommand="ssh -W %h:%p bastion-host" remote-host
The %h:%p
arguments to the -W
flag above specify to forward standard in and out to the remote host (%h
) and the remote host’s port (%p
).
ProxyCommand
in ~/.ssh/config
As with ProxyJump
, ProxyCommand
can be set in the ~/.ssh/config
file for hosts that always use this configuration:
Host remote-host
ProxyCommand ssh bastion-host -W %h:%p
With this setting in ~/.ssh/config
, any ssh
connection to the remote host is accomplished by forwarding stdin and stdout through a secure connection from bastion-host
.
The ssh
command is a powerful tool. While it might mostly be used in its simplest form, ssh user@hostname
, there are literally dozens of uses, with flags and configurations to make connections from one host to another. Check out ssh
's manual page (man ssh
) sometime to discover all of the different options available with this seemingly simple program.
Sobre el autor
Chris Collins is an SRE at Red Hat and a Community Moderator for Opensource.com. He is a container and container orchestration, DevOps, and automation evangelist, and will talk with anyone interested in those topics for far too long and with much enthusiasm.
Navegar por canal
Automatización
Las últimas novedades en la automatización de la TI para los equipos, la tecnología y los entornos
Inteligencia artificial
Descubra las actualizaciones en las plataformas que permiten a los clientes ejecutar cargas de trabajo de inteligecia artificial en cualquier lugar
Nube híbrida abierta
Vea como construimos un futuro flexible con la nube híbrida
Seguridad
Vea las últimas novedades sobre cómo reducimos los riesgos en entornos y tecnologías
Edge computing
Conozca las actualizaciones en las plataformas que simplifican las operaciones en el edge
Infraestructura
Vea las últimas novedades sobre la plataforma Linux empresarial líder en el mundo
Aplicaciones
Conozca nuestras soluciones para abordar los desafíos más complejos de las aplicaciones
Programas originales
Vea historias divertidas de creadores y líderes en tecnología empresarial
Productos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servicios de nube
- Ver todos los productos
Herramientas
- Training y Certificación
- Mi cuenta
- Soporte al cliente
- Recursos para desarrolladores
- Busque un partner
- Red Hat Ecosystem Catalog
- Calculador de valor Red Hat
- Documentación
Realice pruebas, compras y ventas
Comunicarse
- Comuníquese con la oficina de ventas
- Comuníquese con el servicio al cliente
- Comuníquese con Red Hat Training
- Redes sociales
Acerca de Red Hat
Somos el proveedor líder a nivel mundial de soluciones empresariales de código abierto, incluyendo Linux, cloud, contenedores y Kubernetes. Ofrecemos soluciones reforzadas, las cuales permiten que las empresas trabajen en distintas plataformas y entornos con facilidad, desde el centro de datos principal hasta el extremo de la red.
Seleccionar idioma
Red Hat legal and privacy links
- Acerca de Red Hat
- Oportunidades de empleo
- Eventos
- Sedes
- Póngase en contacto con Red Hat
- Blog de Red Hat
- Diversidad, igualdad e inclusión
- Cool Stuff Store
- Red Hat Summit