The concept of bastion hosts is nothing new to computing. Baston hosts are usually public-facing, hardened systems that serve as an entrypoint to systems behind a firewall or other restricted location, and they are especially popular with the rise of cloud computing.
The ssh
command has an easy way to make use of bastion hosts to connect to a remote host with a single command. Instead of first SSHing to the bastion host and then using ssh
on the bastion to connect to the remote host, ssh
can create the initial and second connections itself by using ProxyJump
.
ProxyJump
The ProxyJump
, or the -J
flag, was introduced in ssh
version 7.3. To use it, specify the bastion host to connect through after the -J
flag, plus the remote host:
$ ssh -J <bastion-host> <remote-host>
You can also set specific usernames and ports if they differ between the hosts:
$ ssh -J user@<bastion:port> <user@remote:port>
The ssh
man (or manual) page (man ssh
) notes that multiple, comma-separated hostnames can be specified to jump through a series of hosts:
$ ssh -J <bastion1>,<bastion2> <remote>
This feature is useful if there are multiple levels of separation between a bastion and the final remote host. For example, a public bastion host giving access to a "web tier" set of hosts, within which is a further protected "database tier" group might be accessed.
Hard-coding proxy hosts in ~/.ssh/config
The -J
flag provides flexibiltiy for easily specifying proxy and remote hosts as needed, but if a specific bastion host is regularly used to connect to a specific remote host, the ProxyJump
configuration can be set in ~/.ssh/config
to automatically make the connection to the bastion en-route to the remote host:
### The Bastion Host
Host bastion-host-nickname
HostName bastion-hostname
### The Remote Host
Host remote-host-nickname
HostName remote-hostname
ProxyJump bastion-host-nickname
Using the example configuration above, when an ssh
connection is made like so:
$ ssh remote-host-nickname
The ssh
command first creates a connection to the bastion host bastion-hostname
(the host referenced, by nickname, in the remote host’s ProxyJump
settings) before connecting to the remote host.
An alternative: Forwarding stdin and stdout
ProxyJump
is the simplified way to use a feature that ssh
has had for a long time: ProxyCommand
. ProxyCommand
works by forwarding standard in (stdin) and standard out (stdout) from the remote machine through the proxy or bastion hosts.
The ProxyCommand
itself is a specific command used to connect to a remote server—in the case of the earlier example, that would be the manual ssh
command used to first connect to the bastion:
$ ssh -o ProxyCommand="ssh -W %h:%p bastion-host" remote-host
The %h:%p
arguments to the -W
flag above specify to forward standard in and out to the remote host (%h
) and the remote host’s port (%p
).
ProxyCommand
in ~/.ssh/config
As with ProxyJump
, ProxyCommand
can be set in the ~/.ssh/config
file for hosts that always use this configuration:
Host remote-host
ProxyCommand ssh bastion-host -W %h:%p
With this setting in ~/.ssh/config
, any ssh
connection to the remote host is accomplished by forwarding stdin and stdout through a secure connection from bastion-host
.
The ssh
command is a powerful tool. While it might mostly be used in its simplest form, ssh user@hostname
, there are literally dozens of uses, with flags and configurations to make connections from one host to another. Check out ssh
's manual page (man ssh
) sometime to discover all of the different options available with this seemingly simple program.
Sull'autore
Chris Collins is an SRE at Red Hat and a Community Moderator for Opensource.com. He is a container and container orchestration, DevOps, and automation evangelist, and will talk with anyone interested in those topics for far too long and with much enthusiasm.
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Serie originali
Raccontiamo le interessanti storie di leader e creatori di tecnologie pensate per le aziende
Prodotti
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Servizi cloud
- Scopri tutti i prodotti
Strumenti
- Formazione e certificazioni
- Il mio account
- Supporto clienti
- Risorse per sviluppatori
- Trova un partner
- Red Hat Ecosystem Catalog
- Calcola il valore delle soluzioni Red Hat
- Documentazione
Prova, acquista, vendi
Comunica
- Contatta l'ufficio vendite
- Contatta l'assistenza clienti
- Contatta un esperto della formazione
- Social media
Informazioni su Red Hat
Red Hat è leader mondiale nella fornitura di soluzioni open source per le aziende, tra cui Linux, Kubernetes, container e soluzioni cloud. Le nostre soluzioni open source, rese sicure per un uso aziendale, consentono di operare su più piattaforme e ambienti, dal datacenter centrale all'edge della rete.
Seleziona la tua lingua
Red Hat legal and privacy links
- Informazioni su Red Hat
- Opportunità di lavoro
- Eventi
- Sedi
- Contattaci
- Blog di Red Hat
- Diversità, equità e inclusione
- Cool Stuff Store
- Red Hat Summit