DevOps Blog - Nicolas Paris

Use SSH ProxyJump with Bastion Host


For security reasons, you might want to connect to a production server through a bastion host. This is a common patter for production server administration.

You don't want to leave any private key on the bastion host, you want to keep on your computer or VM you use for administration. With few configurations on the ssh config file you can automate this behavior.

First, let's define the bastion in your ~/.ssh/config file

Host bastion
  User myuser
  Port 22
  ForwardAgent yes

On the same file, you can add the production server.

In case you are not familiar with Bastion Host, the production server should not be accessible via SSH on public IP, only private IP, with filter on the bastion IP.

Host prodserv
  User myuser
  ProxyJump bastion

Your public key should be on both server in the ~/.ssh/authorized_keys file.

Once this is done, you can connect to your server with the following command line.

ssh prodserv