The concept of bastion hosts is nothing new to computing. Baston hosts are usually public-facing, hardened systems that serve as an entrypoint to systems behind a firewall or other restricted location, and they are especially popular with the rise of cloud computing.
The ssh
command has an easy way to make use of bastion hosts to connect to a remote host with a single command. Instead of first SSHing to the bastion host and then using ssh
on the bastion to connect to the remote host, ssh
can create the initial and second connections itself by using ProxyJump
.
ProxyJump
The ProxyJump
, or the -J
flag, was introduced in ssh
version 7.3. To use it, specify the bastion host to connect through after the -J
flag, plus the remote host:
$ ssh -J <bastion-host> <remote-host>
You can also set specific usernames and ports if they differ between the hosts:
$ ssh -J user@<bastion:port> <user@remote:port>
The ssh
man (or manual) page (man ssh
) notes that multiple, comma-separated hostnames can be specified to jump through a series of hosts:
$ ssh -J <bastion1>,<bastion2> <remote>
This feature is useful if there are multiple levels of separation between a bastion and the final remote host. For example, a public bastion host giving access to a "web tier" set of hosts, within which is a further protected "database tier" group might be accessed.
Hard-coding proxy hosts in ~/.ssh/config
The -J
flag provides flexibiltiy for easily specifying proxy and remote hosts as needed, but if a specific bastion host is regularly used to connect to a specific remote host, the ProxyJump
configuration can be set in ~/.ssh/config
to automatically make the connection to the bastion en-route to the remote host:
### The Bastion Host
Host bastion-host-nickname
HostName bastion-hostname
### The Remote Host
Host remote-host-nickname
HostName remote-hostname
ProxyJump bastion-host-nickname
Using the example configuration above, when an ssh
connection is made like so:
$ ssh remote-host-nickname
The ssh
command first creates a connection to the bastion host bastion-hostname
(the host referenced, by nickname, in the remote host’s ProxyJump
settings) before connecting to the remote host.
An alternative: Forwarding stdin and stdout
ProxyJump
is the simplified way to use a feature that ssh
has had for a long time: ProxyCommand
. ProxyCommand
works by forwarding standard in (stdin) and standard out (stdout) from the remote machine through the proxy or bastion hosts.
The ProxyCommand
itself is a specific command used to connect to a remote server—in the case of the earlier example, that would be the manual ssh
command used to first connect to the bastion:
$ ssh -o ProxyCommand="ssh -W %h:%p bastion-host" remote-host
The %h:%p
arguments to the -W
flag above specify to forward standard in and out to the remote host (%h
) and the remote host’s port (%p
).
ProxyCommand
in ~/.ssh/config
As with ProxyJump
, ProxyCommand
can be set in the ~/.ssh/config
file for hosts that always use this configuration:
Host remote-host
ProxyCommand ssh bastion-host -W %h:%p
With this setting in ~/.ssh/config
, any ssh
connection to the remote host is accomplished by forwarding stdin and stdout through a secure connection from bastion-host
.
The ssh
command is a powerful tool. While it might mostly be used in its simplest form, ssh user@hostname
, there are literally dozens of uses, with flags and configurations to make connections from one host to another. Check out ssh
's manual page (man ssh
) sometime to discover all of the different options available with this seemingly simple program.
Sobre o autor
Chris Collins is an SRE at Red Hat and a Community Moderator for Opensource.com. He is a container and container orchestration, DevOps, and automation evangelist, and will talk with anyone interested in those topics for far too long and with much enthusiasm.
Navegue por canal
Automação
Últimas novidades em automação de TI para empresas de tecnologia, equipes e ambientes
Inteligência artificial
Descubra as atualizações nas plataformas que proporcionam aos clientes executar suas cargas de trabalho de IA em qualquer ambiente
Nuvem híbrida aberta
Veja como construímos um futuro mais flexível com a nuvem híbrida
Segurança
Veja as últimas novidades sobre como reduzimos riscos em ambientes e tecnologias
Edge computing
Saiba quais são as atualizações nas plataformas que simplificam as operações na borda
Infraestrutura
Saiba o que há de mais recente na plataforma Linux empresarial líder mundial
Aplicações
Conheça nossas soluções desenvolvidas para ajudar você a superar os desafios mais complexos de aplicações
Programas originais
Veja as histórias divertidas de criadores e líderes em tecnologia empresarial
Produtos
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Red Hat Cloud Services
- Veja todos os produtos
Ferramentas
- Treinamento e certificação
- Minha conta
- Suporte ao cliente
- Recursos para desenvolvedores
- Encontre um parceiro
- Red Hat Ecosystem Catalog
- Calculadora de valor Red Hat
- Documentação
Experimente, compre, venda
Comunicação
- Contate o setor de vendas
- Fale com o Atendimento ao Cliente
- Contate o setor de treinamento
- Redes sociais
Sobre a Red Hat
A Red Hat é a líder mundial em soluções empresariais open source como Linux, nuvem, containers e Kubernetes. Fornecemos soluções robustas que facilitam o trabalho em diversas plataformas e ambientes, do datacenter principal até a borda da rede.
Selecione um idioma
Red Hat legal and privacy links
- Sobre a Red Hat
- Oportunidades de emprego
- Eventos
- Escritórios
- Fale com a Red Hat
- Blog da Red Hat
- Diversidade, equidade e inclusão
- Cool Stuff Store
- Red Hat Summit