ProxyJump (SSH ProxyJump)

Short definition

ProxyJump is an SSH configuration directive that routes a connection through one or more intermediate hosts to reach a target server, without exposing your private key to those intermediate hosts.

Extended definition

In infrastructure setups where internal servers have no public IP, you need a way to reach them from outside the network. ProxyJump instructs the SSH client to first connect to an intermediate host (typically a bastion), and then tunnel the connection onward to the target server from there. The key distinction from the older SSH agent forwarding approach is that ProxyJump creates a raw TCP tunnel through the bastion rather than forwarding your authentication credentials to it. The bastion never sees your private key, which means a compromised bastion cannot be used to impersonate you on other servers.

Deep technical explanation

How the tunnel works: ProxyJump uses the SSH netcat mode internally. The client connects to the bastion over SSH, then instructs the bastion to open a raw TCP connection to the target host and port. The client’s SSH session to the target runs entirely through this TCP tunnel. From the target server’s perspective, the connection arrives from the bastion’s internal IP.

SSH config syntax ProxyJump can be set per-host in ~/.ssh/config:

Host internal-*
    ProxyJump [email protected]
    IdentityFile ~/.ssh/fleet_key

This means any host matching internal-* automatically routes through the bastion without any extra flags.

Command line syntax: For one-off connections: ssh -J [email protected] [email protected]

Chaining multiple jumps ProxyJump supports chaining: ssh -J bastion1,bastion2 target for networks that require traversing multiple intermediate hosts.

Comparison to agent forwarding: Agent forwarding (ForwardAgent yes) passes your SSH agent socket to the intermediate host, allowing it to use your key for onward authentication. This is convenient but dangerous. A root user on the bastion can use your forwarded agent to authenticate as you anywhere. ProxyJump eliminates this risk entirely.

Practical examples

  • An engineer’s SSH config routes all 10.* addresses through the bastion automatically, so ssh 10.0.1.45 works from anywhere on the VPN without manual tunnel setup
  • A Fabric-based fleet management tool uses ProxyJump in its SSH config to reach all internal nginx servers through the bastion in parallel
  • A CI/CD pipeline uses ssh -J to deploy to private servers without those servers needing public IPs

Why it matters

ProxyJump is the correct, secure pattern for reaching servers behind a bastion. It is simpler than manual tunneling, safer than agent forwarding, and composable enough to handle complex multi-hop network topologies. Any infrastructure that uses a bastion host should be using ProxyJump.

Related service

Managed infrastructure and security

Related terms

Share this post

Share this link via

Or copy link