Comment by chasil

12 hours ago

The article mentions bastions, but no jumphosting?

  ssh -J user1@bastion1,user2@bastion2 targetuser@targethost

Edit: Jumphosting was introduced in OpenSSH 7.3 2016-08-01.

https://www.openssh.org/releasenotes.html

8 comments

chasil

Reply
idatum  2 hours ago

What I've found beautiful about -J is the host you jump through requires no privileges on the final host. Only my laptop has the SSH key to access my home server, not my cheap VPS.

And this allows me to have zero open ports on my home internet. I do a reverse tunnel to my VPS from my home server (in a FreeBSD jail), and that port is what my laptop client jumps through.

dspillett  12 hours ago

It is surprising how many times I see this content (this version might be marked “Published: Jun 19, 2026” but I've definitely seen those exact diagrams before, starting at least a few years ago, and the same content around them in many tutorials before that) without it being updated to mention jump-hosts.

Support was added to OpenSSH about a decade ago? Even on a low moving Linux distro like Debian/LTS everyone should have support by now.

05  5 hours ago

And with match/exec rules you can always connect to MyHost and make it conditional whether to use a jumphost or not, so it's like an on demand vpn.. only with ssh.

    Match host="MyHost" exec "! grep Home ~/.wifi-loc-control/.current"
    ProxyJump home-jumphost.mydomain.tld

saltcured  7 hours ago

For me, this is always used via ProxyJump rules in my ~/.ssh/config

It is also nice that it works recursively, so I can logically structure my rules so that the one for my regular targets say to use bastion1, then the rule for bastion1 says to go via bastion 2, etc.

I find this easier to reason about and maintain rather than juggling a bunch of these multi-step rules.

m348e912  8 hours ago

>ssh -J user1@bastion1,user2@bastion2 targetuser@targethost

Are you using SSH key auth or password authenticating three times when you do this?

  • chasil  7 hours ago

    If you don't have an agent running with an accessible key, then you will get three password prompts, with suggestions for any default keys.

    The final target is a pre-elliptic curve OpenSSH server, so legacy is enabled. I could probably have removed that for clarity.

      C:\Users\me\>ssh -J me@bhost1,me@bhost2 -o KexAlgorithms=diffie-hellman-group14-sha1 -o HostKeyAlgorithms=ssh-rsa -o MACs=hmac-sha1 oracle@target
  Enter passphrase for key 'C:\Users\me/.ssh/id_ed25519':
  me@host1's password:
  Enter passphrase for key 'C:\Users\me/.ssh/id_ed25519':
  me@host2's password:
  oracle@target's password:
  Last login: Wed Jun 24 13:29:55 2026 from bhost2

    That client is Microsoft's port of OpenSSH.

  • saltcured  7 hours ago

    I always use keys in my SSH agent.

    Because the jump mechanism works via use of TCP forwarding, each host authn step is talking "directly" to your client. Importantly, this means it still works without requiring "agent forwarding" for the connection you are making.