SSH jump hosts are generally used as gateways into other networks, whether thats entering a DMZ or ensuring your session comes from a trusted IP. They should be seamless when done right, using the
ProxyCommand for example. They can also be done very poorly, looking at you Agent Forwarding. Dynamic jump hosts are useful so you don’t have to create multiple separate
host entries in your
Let’s play out a scenario. You have several hosts named
web-10.example.com that are hosted in
dc1 only allows SSH connections from your office IP (which you aren’t currently in) and from your jump host (
jump-01.example.com). You can either enter a separate line for each and every host in your
.ssh/config file like this:
Host web-01.example.com ProxyCommand ssh firstname.lastname@example.org nc %h %p Host web-02.example.com ProxyCommand ssh email@example.com nc %h %p
Or you could also do a wildcard host like this:
Host web-* ProxyCommand ssh firstname.lastname@example.org nc %h %p
But that assumes that you only have machines named
web-* available via that single jump host and the jump host will be used even when you’re in the office.
What if we place the wildcard somewhere else? If you combine
sed and the
ProxyCommand you can use have dynamic jump hosts with a single config for the whole DC. Checkout the example below.
Host *-via-dc1 ProxyCommand ssh email@example.com nc $(echo %h | sed 's/-via-dc1$//') %p
This means when you’re in the office you can SSH to
web-01.example.com and get to the server directly. When you’re outside the office and need to come from a trusted IP you just change the host and SSH to
web-01.example.com-via-dc1 and boom! You’re going through your jump host.