ssh login with a tunnel through intermediate server in a single command?

Is there a way in a single SSH command to login via SSH to a remote server passing through an intermediate server? In essence, I need to create a tunnel to my “bridge server” and via the tunnel to login to the remote server.

For example, I’m trying to compress the following into a single ssh command:

  1. ssh -N -L
  2. ssh -p 2222 remote_userid@localhost

This currently works, but I would rather be able to squeeze everything into a single command such that if I exit my ssh shell, my tunnel closes at the same time.

I have tried the following in my config but to no avail:

Host axp
  User          remote_userid
  IdentityFile  ~/.ssh/id_rsa.eric
  ProxyCommand  ssh -W %h:%p

As per @jasonwryan comments and the transparent-mulithop link, I’m able to get the following command working:

ssh -A -t ssh -A

but now I would like to package that up neatly into my .ssh/config file, and not quite sure what I need to use as my ProxyCommand. I’ve seen a couple of links online as well as @boomshadow’s answer that requires nc, but unfortunately the AIX server I’m using as my bridge machine does not have netcat installed on it.

Asked By: Eric B.


The ProxyCommand is what you need. At my company, all the DevOps techs have to use a “jumpstation” in order to access the rest of the VPC’s. The jumpstation is VPN access-controlled.

We’ve got our SSH config setup to automatically go through the jumpstation automatically.

Here is an edited version of my .ssh/config file:

Host *
User jacob
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost  nc -q0 %h %p

Every time I do an ‘ssh’ to a server on that ‘internal’ subdomain, it will automatically jump through the jumpstation first.

Here is the entire section of the .ssh/config for the ‘Internal’ VPC for us to log into it:

# Internal VPC
Host company-internal-jumphost
   Hostname 10.210.x.x  #(edited out IP for security)
   IdentityFile ~/.ssh/id_rsa
Host 10.210.*
   User ubuntu
   IdentityFile ~/.ssh/company-id_rsa
   ProxyCommand ssh -q -A jacob@company-internal-jumphost  nc -q0 %h %p
Host *
   User jacob
   IdentityFile ~/.ssh/id_rsa
   ProxyCommand ssh -q -A jacob@company-internal-jumphost  nc -q0 %h %p
Answered By: BoomShadow

If OpenSSH 7.3 or later is used then you can use ProxyJump like this:

$ ssh -o ProxyJump=user1@gateway user2@remote

If either user is omitted then the local user is implied.

A variation on the indirect login theme is indirect file transfer. You can use scp and rsync with indirect ssh to copy files through the intermediate server.

To copy through the gateway using scp:

$ scp -oProxyJump=root@gateway myfile user@remote:path

If user is omitted, the local user is used.

The ProxyJump was introduced in OpenSSH 7.3. An alternative is to use ProxyCommand:

$ scp -oProxyCommand="ssh -W %h:%p root@gateway" myfile user@remote:path

To copy through the gateway using rsync:

$ rsync -av -e 'ssh -o "ProxyJump root@gateway"' myfile user@remote@path


$ rsync -av -e 'ssh -o "ProxyCommand ssh -A root@gateway -W %h:%p"' myfile user@remote@path

I paraphrase other answers (on superuser) that cover indirect scp and indirect rsync in more detail.

Answered By: starfry

If you only need an SSH connection via another machine, there’s no need to either create a tunnel or edit .ssh/config.

The easiest command I could find is using "jump host" ssh argument

ssh -J

Note: this feature is supported starting with OpenSSH 7.3, released on 2016-08-01

Answered By: Jean Spector
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.