Comment by tkw01536

I ended up doing something like this for a separate use case (had to host a bunch of Drupal instances, and for some reason end users needed shell access).

For the proxy I did not rely on a “proper” ssh daemon (like openssh), but wrote my own using a go library called gliderlabs/ssh. That in particular allowed me to implement only a tcp forwarding callback [1] , and not provide any shell access on a protocol level. Also made deployment nicer - no need for a full VM, just a container was sufficient.

It is also worth nothing that the -j can be moved into .ssh/config using the ProxyJump option. It does mean end users need a config file - but it does allow typing just a plain ssh command.

[1] https://pkg.go.dev/github.com/gliderlabs/ssh#ForwardedTCPHan...