Bastion / Jump Host SSH Config
Configure SSH to connect through a bastion (jump) host to reach internal servers. Uses ProxyJump for modern, clean multi-hop SSH connections.
Detailed Explanation
Bastion Host SSH Configuration
A bastion host (or jump host) acts as a gateway to internal servers that are not directly accessible from the internet. Configuring ProxyJump in your SSH config lets you reach internal servers with a single ssh command.
Example Config
Host bastion
HostName bastion.example.com
User admin
Port 22
IdentityFile ~/.ssh/id_ed25519_bastion
IdentitiesOnly yes
ServerAliveInterval 60
Host internal-web
HostName 10.0.1.10
User deploy
ProxyJump bastion
IdentityFile ~/.ssh/id_ed25519_internal
IdentitiesOnly yes
Host internal-db
HostName 10.0.1.20
User dbadmin
ProxyJump bastion
IdentityFile ~/.ssh/id_ed25519_internal
IdentitiesOnly yes
How ProxyJump Works
When you run ssh internal-web:
- SSH first connects to
bastionusing its configuration - Through that connection, it opens a tunnel to
10.0.1.10 - Your terminal is connected to the internal server as if directly
The bastion host never sees your private key for the internal server. Only the connection is proxied.
Multi-Hop Jumps
You can chain multiple jump hosts:
Host deep-internal
HostName 10.10.1.5
ProxyJump bastion,internal-web
Legacy ProxyCommand Equivalent
For older OpenSSH versions that don't support ProxyJump:
Host internal-web
HostName 10.0.1.10
ProxyCommand ssh -W %h:%p bastion
Security Benefits
- Internal servers have no public IP addresses
- All access is funneled through a single, auditable entry point
- The bastion can enforce MFA and logging
- Network ACLs restrict direct access to internal subnets
Use Case
Infrastructure teams that secure internal servers behind a bastion host, requiring engineers to hop through the gateway to reach development, staging, or production environments.