Tue Feb 20 2018 #ssh #ubuntu

New In Ubuntu 18.04 -- SSH ProxyJump

Ubuntu 18.04 LTS is planned for release soon. I’m looking forward to the inclusion of an upgraded openssh-client package. It will finally support the ProxyJump feature, which gives you an easy way to configure ssh to connect by way of jump hosts. It’s been available on Mac for years.

# $HOME/.ssh/config
Host *.example.com
    ProxyJump j@jumper.acme.com:12345

In today’s world of perimeter security, mergers & acquisitions, moonlighting, and defense-in-depth networking, you may find yourself doing several ssh hops to get from your workstation to a target host you need to inspect or manage:

                       /----------\      /-----------\
  /-------------\      |    my    |      | client's  |      /--------\
  | workstation |------| jump box |------| perimeter |------| target |
  \-------------/      |          |      | jump box  |      \--------/
                       \----------/      \-----------/

ProxyJump makes that easier than ever. Unlike the older ways of doing this, the configuration is easy to understand, too.

# $HOME/.ssh/config
Host jumper
    Hostname jumper.acme.com
    User j
    Port 12345
    ForwardAgent yes
Host ssh-perimeter.example.com
    User jeffwheeler
    ForwardAgent yes
Host target.example.com
    ProxyJump jumper,ssh-perimeter.example.com

Notice the two ProxyJump hosts, jumper and ssh-perimeter, separated by a comma. That’s all there is to setting up a chain of multiple jumps.

It’s also easy to configure options associated with each host in the list, such as the non-standard ssh port 12345 for jumper; or the different usernames that may be assigned to you by the administrator of the target org.

If you’re not sure if your OS supports ProxyJump you can check your ssh manual page (man ssh) or see if your version of OpenSSH is 7.3 or higher:

jsw@athena:~$ ssh -V
OpenSSH_7.6p1, LibreSSL 2.6.2