{"id":16241,"date":"2023-04-18T21:03:50","date_gmt":"2023-04-18T18:03:50","guid":{"rendered":"https:\/\/kifarunix.com\/?p=16241"},"modified":"2024-03-10T08:54:40","modified_gmt":"2024-03-10T05:54:40","slug":"securely-ssh-to-remote-host-via-multiple-jump-hosts","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/securely-ssh-to-remote-host-via-multiple-jump-hosts\/","title":{"rendered":"Securely SSH to Remote Host via Multiple Jump Hosts"},"content":{"rendered":"\n<p>In this comprehensive guide, we&#8217;ll walk you through the steps to securely SSH to remote host via multiple jump hosts. If you&#8217;re a system administrator or developer who needs to access a remote host via multiple jump hosts, you know it can be a challenging and time-consuming process. But with the right tools and techniques, you can establish a secure connection to your destination and protect your sensitive data.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#ssh-to-remote-host-via-multiple-jump-hosts\">SSH to Remote Host via Multiple Jump Hosts<\/a><ul><li><a href=\"#ssh-into-one-jump-host-at-a-given-time\">SSH into One Jump Host at a Given Time<\/a><\/li><li><a href=\"#ssh-to-remote-host-using-ssh-proxy-jump-option\">SSH to Remote Host Using SSH ProxyJump Option<\/a><ul><li><a href=\"#using-proxy-jump-in-command-line\">Using ProxyJump in Command Line<\/a><\/li><li><a href=\"#using-proxy-jump-in-ssh-config-file\">Using ProxyJump in SSH Config File<\/a><\/li><\/ul><\/li><li><a href=\"#ssh-to-remote-host-using-ssh-proxy-command-option\">SSH to Remote Host Using SSH ProxyCommand Option<\/a><ul><li><a href=\"#using-proxy-command-ssh-option-in-command-line\">Using ProxyCommand SSH option in Command Line<\/a><\/li><li><a href=\"#using-proxy-command-ssh-option-in-ssh-config-file\">Using ProxyCommand SSH option in SSH Config File<\/a><\/li><\/ul><\/li><li><a href=\"#other-tutorials\">Other Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"ssh-to-remote-host-via-multiple-jump-hosts\">SSH to Remote Host via Multiple Jump Hosts<\/h2>\n\n\n\n<p>Imagine you have three nodes in your network;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Node A: This can be your localhost machine<\/li>\n\n\n\n<li>Node B: Load Balancer, for example<\/li>\n\n\n\n<li>Node C: This can be your web app server for example<\/li>\n\n\n\n<li>Node D: This can be your web database server.<\/li>\n<\/ol>\n\n\n\n<p>Assuming strict security requirements have been implemented in your infrastructure such that access a remote server is only accessible via a jump\/bastion host. To connect to the remote server, you&#8217;ll need to first connect to the jump host, and then connect to the remote server via the jump host.<\/p>\n\n\n\n<p>For example, access to Node D has been restricted such that it can only be accessed from Node C. Similarly, Node C has been restricted to allow access only from Node B. While Node B can only be SSHed into by a few admins, you included (from Node A).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ssh-into-one-jump-host-at-a-given-time\">SSH into One Jump Host at a Given Time<\/h3>\n\n\n\n<p>Usually, to SSH to remote host via multiple jump hosts, you would normally have to login to first jump host.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh username@nodeB<\/code><\/pre>\n\n\n\n<p>If you are using SSH keys for authentication, then;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh -i \/path\/to\/ssh\/key\/on\/nodeA username@nodeB<\/code><\/pre>\n\n\n\n<p>Once you are logged into the Node B, then again SSH into Node C, which is the target remote host;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh username@nodeC<\/code><\/pre>\n\n\n\n<p>Or similary, if you need SSH keys<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh -i \/path\/to\/ssh\/key\/on\/nodeB username@nodeC<\/code><\/pre>\n\n\n\n<p>Once you are logged into the Node C, then again SSH into Node D, which is the target remote host;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh username@nodeD<\/code><\/pre>\n\n\n\n<p>Or similary, if you need SSH keys<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh -i \/path\/to\/ssh\/key\/on\/nodeC username@nodeD<\/code><\/pre>\n\n\n\n<p>And that is it! Time consuming, isn&#8217;t it?<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ssh-to-remote-host-using-ssh-proxy-jump-option\">SSH to Remote Host Using SSH ProxyJump Option<\/h3>\n\n\n\n<p>Beginning from OpenSSH 7.3, SSH now provides ProxyJump option that simplifies the process of connecting to a remote host via multiple jump hosts by allowing you to specify the intermediate hosts directly in the command line or in the configuration file.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"using-proxy-jump-in-command-line\">Using ProxyJump in Command Line<\/h4>\n\n\n\n<p>In command line, you can pass <strong><code>-J<\/code><\/strong> option to SSH command as a shortcut to specify a ProxyJump configuration directive.<\/p>\n\n\n\n<p>For example, to SSH into Node D via Node C via Node B as jump host, the order is Node B &gt; Node C &gt; Node D;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh -J username@nodeB,username@nodeC username@nodeD<\/code><\/pre>\n\n\n\n<p>See example below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh -J kifarunix@192.168.56.10,kifarunix@192.168.57.157 kifarunix@192.168.58.154<\/code><\/pre>\n\n\n\n<p>You will be prompted first for the Node B password, then Node C, and finally Node D;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n<strong>kifarunix@192.168.56.10's password: \nkifarunix@192.168.57.157's password: \nkifarunix@192.168.58.154's password:<\/strong>\nWelcome to Ubuntu 22.04.1 LTS (GNU\/Linux 5.15.0-69-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n  System information as of Mon Apr 17 08:46:52 PM UTC 2023\n\n  System load:                      0.0\n  Usage of \/:                       50.7% of 26.98GB\n  Memory usage:                     25%\n  Swap usage:                       0%\n  Processes:                        154\n  Users logged in:                  0\n  IPv4 address for docker0:         172.17.0.1\n  IPv4 address for docker_gwbridge: 172.18.0.1\n  IPv4 address for enp0s3:          10.0.12.150\n  IPv4 address for enp0s8:          192.168.58.154\n\n * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s\n   just raised the bar for easy, resilient and secure K8s cluster deployment.\n\n   https:\/\/ubuntu.com\/engage\/secure-kubernetes-at-the-edge\n\n61 updates can be applied immediately.\nTo see these additional updates run: apt list --upgradable\n\n\nLast login: Mon Apr 10 14:36:50 2023 from 192.168.59.102\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"using-proxy-jump-in-ssh-config-file\">Using ProxyJump in SSH Config File<\/h4>\n\n\n\n<p>You can as well define the configs on your SSH configuration file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim ~\/.ssh\/config<\/code><\/pre>\n\n\n\n<pre class=\"scroll=sz\">\nHost    nodeD\n        ProxyJump USERNAME@nodeB-IP,USERNAME@nodeC-IP,USERNAME@nodeD-IP\n<\/code><\/pre>\n\n\n\n<p>Replace &#8220;nodeB-IP&#8221;, &#8220;nodeC-IP&#8221; and &#8220;nodeD-IP&#8221; with the respective hostnames or IP addresses.<\/p>\n\n\n\n<p>Save the config and exit the config file.<\/p>\n\n\n\n<p>To connect to the remote host using the ProxyJump command, simply run:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh nodeD<\/code><\/pre>\n\n\n\n<p>Or simply update the config to look like;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim ~\/.ssh\/config<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code> \nHost    nodeB\n        User kifarunix\n        HostName jump_host1_IP\nHost    nodeC\n        User spider\n        HostName jump_host2_IP\n        ProxyJump nodeB\nHost    nodeD\n        User johndoe\n        HostName remote_host_IP\n        ProxyJump nodeC\n<\/code><\/pre>\n\n\n\n<p>Then simply SSH into remote host using the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh nodeD<\/code><\/pre>\n\n\n\n<p>If you are using SSH keys, then better put the configs on your SSH config file as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim ~\/.ssh\/config<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code> \nHost    nodeB\n        HostName nodeB-IP\n        User kifarunix\n        IdentityFile ~\/nodeB.pem\nHost    nodeC\n        HostName nodeC-IP\n        User kifarunix\n        IdentityFile ~\/nodeC.pem\n        ProxyJump nodeB\nHost    nodeD\n        HostName nodeD-IP\n        User kifarunix\n        IdentityFile ~\/nodeD.pem\n        ProxyJump nodeC\n<\/code><\/pre>\n\n\n\n<p>You can then login to remote host Node D using the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh nodeD<\/code><\/pre>\n\n\n\n<p>You will get passphrase prompts for all three SSH keys;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Enter passphrase for key '~\/nodeB.pem': \nEnter passphrase for key '~\/nodeC.pem': \nEnter passphrase for key '~\/nodeD.pem':<\/code><\/pre>\n\n\n\n<p>Note that the SSH key cert files should be residing on the localhost.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"ssh-to-remote-host-using-ssh-proxy-command-option\">SSH to Remote Host Using SSH ProxyCommand Option<\/h3>\n\n\n\n<p><code>ProxyCommand<\/code> is an SSH option that allows you to specify a command to use as a proxy when connecting to a remote host. When this option is set, SSH uses the specified command to establish a connection to the remote host, instead of establishing a direct connection.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"using-proxy-command-ssh-option-in-command-line\">Using ProxyCommand SSH option in Command Line<\/h4>\n\n\n\n<p>To use ProxyCommand SSH option in command line, you simply pass <code>-o ProxyCommand<\/code> option and specify the jump\/proxy hosts.<\/p>\n\n\n\n<p>For example;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh -o ProxyCommand='ssh -W %h:%p USERNAME@nodeB_IP \"ssh -W %h:%p USERNAME@nodeC_IP\"' USERNAME@nodeD_IP<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The command above tells SSH to use <code>ssh<\/code> as the proxy command to forward traffic to the <code>nodeB<\/code> then to <code>nodeC<\/code> and finally to <code>nodeD<\/code>.<\/li>\n\n\n\n<li><code>-W<\/code>: This option tells <code>ssh<\/code> to set up a netcat mode communication channel to the target host instead of executing a shell on the remote host.<\/li>\n\n\n\n<li><code>%h<\/code>: This is a placeholder that will be replaced with the hostname of the target host.<\/li>\n\n\n\n<li><code>:%p<\/code>: This is a placeholder that will be replaced with the port number of the target host.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"using-proxy-command-ssh-option-in-ssh-config-file\">Using ProxyCommand SSH option in SSH Config File<\/h4>\n\n\n\n<p>You can define the command in SSH config file;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim ~\/.ssh\/config<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nHost    nodeB\n        HostName nodeB_IP\n        User USERNAME\n\nHost    nodeC\n        HostName nodeC_IP\n        User USERNAME\n        ProxyCommand ssh -W %h:%p nodeB\n\nHost    nodeD\n        HostName nodeD_IP\n        User USERNAME\n        ProxyCommand ssh -W %h:%p nodeC\n<\/code><\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<p>You can the just login to remote host nodeD using the command;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh nodeD<\/code><\/pre>\n\n\n\n<p>You will be prompted to enter pass for nodeB, then nodeC and finally nodeD;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>kifarunix@192.168.56.10's password: \nkifarunix@192.168.57.157's password: \nkifarunix@192.168.58.154's password: <\/code><\/pre>\n\n\n\n<p>Similarly, if you are using SSH keys, you can update config as follows;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>vim ~\/.ssh\/config<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nHost    nodeB\n        HostName nodeB_IP\n        User USERNAME\n        IdentityFile ~\/nodeB.pem\n\nHost    nodeC\n        HostName nodeC_IP\n        User USERNAME\n        ProxyCommand ssh -W %h:%p nodeB\n        IdentityFile ~\/nodeC.pem\n\nHost    nodeD\n        HostName nodeD_IP\n        User USERNAME\n        ProxyCommand ssh -W %h:%p nodeC\n        IdentityFile ~\/nodeD.pem\n<\/code><\/pre>\n\n\n\n<p>The just ssh using keys;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh nodeD<\/code><\/pre>\n\n\n\n<p>And that is.<\/p>\n\n\n\n<p>In this guide, you have learnt how <a href=\"https:\/\/www.openssh.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">SSH<\/a> to remote host via multiple jump hosts using;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li class=\"ssh-to-remote-host-using-ssh-proxy-jump-option\"><a href=\"#ssh-to-remote-host-using-ssh-proxy-jump-option\">SSH ProxyJump option<\/a><\/li>\n\n\n\n<li class=\"ssh-to-remote-host-using-ssh-proxy-command-option\"><a href=\"#ssh-to-remote-host-using-ssh-proxy-command-option\">SSH ProxyCommand option<\/a><\/li>\n<\/ol>\n\n\n\n<p>That concludes our guide.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"other-tutorials\">Other Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-configure-ssh-local-port-forwarding-in-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure SSH Local Port Forwarding in Linux<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-and-use-clusterssh-on-ubuntu\/\" target=\"_blank\" rel=\"noreferrer noopener\">Install and Use ClusterSSH on Ubuntu 22.04\/Ubuntu 20.04<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-secure-ssh-access-on-linux-servers-using-teleport\/\" target=\"_blank\" rel=\"noreferrer noopener\">Setup Secure SSH Access on Linux Servers using Teleport<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this comprehensive guide, we&#8217;ll walk you through the steps to securely SSH to remote host via multiple jump hosts. If you&#8217;re a system administrator<\/p>\n","protected":false},"author":10,"featured_media":16265,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[34,121,362],"tags":[6537,6536,6534,6535,6538,6539],"class_list":["post-16241","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-howtos","category-ssh","tag-how-do-i-set-up-a-jump-host","tag-how-to-access-a-remote-server-using-a-ssh-jump-host","tag-ssh-into-remote-host-via-jump-server","tag-ssh-jump-hosts","tag-ssh-proxy","tag-what-is-the-purpose-of-a-jump-host","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/16241"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=16241"}],"version-history":[{"count":23,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/16241\/revisions"}],"predecessor-version":[{"id":20725,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/16241\/revisions\/20725"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/16265"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=16241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=16241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=16241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}