SSH ProxyJump：跳板机配置最佳实践

1

本地 → 跳板机 → 目标主机

1

ssh -J jumpuser@jumphost targetuser@targethost

1
2

# 通过 jump.example.com 连接 target.example.com
ssh -J root@jump.example.com root@target.example.com

1
2

# 本地 → jump1 → jump2 → target
ssh -J user1@jump1,user2@jump2 user3@target

1
2
3
4

Host target
    HostName target.example.com
    User root
    ProxyJump jump.example.com

1

ssh target

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

Host jump
    HostName jump.example.com
    User jumpuser
    IdentityFile ~/.ssh/jump_key

Host target
    HostName target.example.com
    User targetuser
    ProxyJump jump
    IdentityFile ~/.ssh/target_key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

Host jump1
    HostName jump1.example.com
    User user1

Host jump2
    HostName jump2.example.com
    User user2
    ProxyJump jump1

Host target
    HostName target.example.com
    User user3
    ProxyJump jump2

1

ssh -J jump.example.com target.example.com

1
2

Host target
    ProxyJump jump

1

ssh -o ProxyCommand="ssh -W %h:%p jump.example.com" target.example.com

1
2

Host target
    ProxyCommand ssh -W %h:%p jump.example.com

1

scp -J jump.example.com file.txt target.example.com:/path/

1

sftp -J jump.example.com target.example.com

1
2

scp file.txt target:/path/
sftp target

1

ssh -J jump.example.com -L 3306:localhost:3306 target.example.com

1

ssh -J jump.example.com -D 1080 target.example.com

1
2
3

Host jump
    IdentityFile ~/.ssh/jump_ed25519
    IdentitiesOnly yes

1
2
3
4
5
6

# /etc/ssh/sshd_config on jump host
Match User jumpuser
    AllowTcpForwarding yes
    X11Forwarding no
    PermitTTY no
    ForceCommand none

1
2

# 签发跳板机证书
ssh-keygen -s ca_key -I jump_user -V +52w jump_user_key.pub

1
2
3
4
5
6

# 检查跳板机可达性
ping jump.example.com
ssh jump.example.com "echo OK"

# 详细输出
ssh -vJ jump.example.com target.example.com

1
2
3
4
5

# 指定密钥
ssh -i ~/.ssh/my_key -J jump.example.com target.example.com

# 检查 config
ssh -G target | grep -i proxy

1
2

ssh -V
# 需要 OpenSSH 7.3+ 才支持 -J