ProxyJumping is a method used to get access to a terminal in a private network via SSH.
First, you SSH into a JumpGate (a SSH server exposed to the internet), and then use that JumpGate to pass through a SSH connection to a machine on the JumpGate's local network. By the end of this guide, you should be able to seamlessly connect to a remote private host through a JumpGate with one parameter in a ssh command.
Security should always be paramount when establishing connections like this because the password of a JumpGate can and will be brute-forced by bots on the internet constantly.
The provided client-side commands are intended for PowerShell. Open PowerShell by right-clicking on the start menu button and selecting Windows Powershell.
The ProxyJump in this tutorial is using a bash shell with linux binaries. If the proxyjump server is Windows-based, some commands don't work in CMD, so you will need to use powershell instead.
Create a file at ~\.ssh\config (if it doesn't exist), and add the following lines to it (with placeholders changed).
Host JumpGate
User {USERNAME}
HostName {HOSTNAME}
With this in the config file, you can now log into the remote host with a simple command; ssh JumpGate!
To avoid inputting a password each time you connect, you can generate public and private keys for each machine involved in the connection.
- Create a public/private RSA key pair for each machine you plan to use to connect to the JumpGate with the following command;
PS C:\Users\User> ssh-keygen
# stick with all the default settings when prompted
# creates the following files;
# ~\.ssh\id_rsa
# ~\.ssh\id_rsa.pub- Add the public key for each client to the JumpGate.
PS C:\Users\User> $command = 'echo "{0}" >> ~/.ssh/authorized_keys' -f $(cat ~/.ssh/id_rsa.pub)
PS C:\Users\User> ssh JumpGate $command
# This command reads your public key, and appends it to .ssh/authorized_keys on the jumpgate.You should now be able to run the following command without being prompted for a password.
ssh JumpGateThe goal of this step is to be able to specify the names of any machines in the private network that the JumpGate is connected to, and connect to them with one command on the client machine.
- Add the connection details to .ssh/config
Host ProxyJumpTarget
User www-data # the username used to login to the target machine
HostName webserver # could also be 192.168.1.100, for example
ProxyCommand C:\Windows\System32\OpenSSH\ssh.exe -Y {PROXYJUMP USERNAME}@{PROXYJUMP HOSTNAME} -W %h:%p
# A function call within ssh currently requires an absolute directory to SSH in Windows 10.
Note: Using ProxyCommand like this is an inelegant solution, ideally, we'd be using ProxyJump, like the following example, but issues with OpenSSH for Windows are currently preventing this.
# An alternative we can hopefully use in the future
Host ProxyJumpTarget
User www-data # the username used to login to the target machine
HostName webserver # could also be 192.168.1.100, for example
ProxyJump ProxyJump # points to the existing config for Host ProxyJump, reduces redundancy
With this, you should now be able to seamlessly connect to a private host in the ProxyJump network with the command below.
ssh ProxyJumpTarget- You can rince and repeat with more private hosts or setup passwordless authentication with the remote host as a next step. The process is identical, just with different hostnames.
- Once you're confident your key-based authentication is complete, you can consider disabling password authentication in the JumpGate SSH Server completely. Note that you will always need access to one working authenticated client to authenticate any new clients in future.