Transparent SSH Hopping

Chris SandriniSenior System Engineer
Secure Shell (SSH) is a network protocol for secure data communication, mainly used to administer remote Unix / Linux servers via command line. But it also allows the user to open a secure tunnel between a client and a server where he can send any kind of network traffic through.  

Many customers I work for are using a SSH hop server that is sitting behind a firewall. The hop server is the main point of entry to a certain network area, similar to a proxy.

The firewall is configured with port forwarding to forward any SSH requests directly to a specific hop server. From there you can then connect via SSH to another host in order to remotely administer that server via command line. This kind of setup allows the administrator to more effectively control who and from where people can connect to a server.

If you need to do quite a lot of work on the remote servers that are sitting behind the hop server, it can get quite annoying to go through all the steps to connect, because for every connection you would need to connect first to the hop server and then connect to the desired remote server. It gets a bit more complicated if you try to send files from your client directly to the remote server, as you would need to send the file first to the hop server and from there to the remote server. Especially for bigger files you may not want to store them on the hop server first.

OpenSSH has some very nice features where it will use the hop server as a SSH proxy.


Access to an ssh hop server
nc or netcat has to be installed on the hop server


On your client create a new file called ~/.ssh/config with the following content
Host amberJump
  Port 22
  User amber
Host vxs01
  ProxyCommand ssh -q amberJump nc vxs01 22

Host vxs02
  ProxyCommand ssh -q amberJump nc vxs02 22

Host vxs03
  ProxyCommand ssh -q amberJump nc vxs03 22

Open in new window

We have specified the hop server amberJump that is being connected through the firewall. Then we have specified three hosts that should be redirected through amberJump.

The ProxyCommand
nc (or netcat) is a command to redirect TCP connections.

Now you can just SSH / SCP directly to your alias:
ssh vxs01

Open in new window

scp /some/file vxs01:/some/file

Open in new window

Reusing Connections

You can speed up the connection process if you enable the "reuse existing connections". This means that only the first time you connect to serverB will it take a few seconds longer. As long as this connection stays open, all new connections will be much more quickly be connected.

Now put the following lines to your ~/.ssh/config file just below the User amber
ControlMaster auto
ControlPath   /tmp/%h_%p_%r

Open in new window

SSH will then create files in your /tmp directory to keep track of your running connections.

%h is the hostname
%p the port
%r the user

It would look like this
Host amberJump
  Port 22
  User amber
  ControlMaster auto
  ControlPath   /tmp/%h_%p_%r

Open in new window

If you would like to keep track of all your SSH connections, then you need to add the last two lines on the very top of your file. You can repeat the two lines and add them in any host section you want if you want to use different files.

What have we achieved? Well technically we connect exactly the same way as we would without this configuration. We still redirect our connection through amberJump (the hop server). The only thing that has changed is that OpenSSH is doing the step in between for us. It also allows us now to transfer files "directly" to the destination host. (The file is still being redirected through the hop server).
Chris SandriniSenior System Engineer

Comments (1)




Congratulations; your article has been published. Thank you for a nice explanation.

Page Editor

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community