🐧 4 ways to connect to SSH and SCP via proxy server (jump) on Linux

In this tutorial, we will learn how to use SSH or SCP through a proxy server (jump host).

The sponsor of this guide is Bukh Global

SCP via proxy

Method 1: using scp with ProxyJump

In openssh package version 7.4p1-11 or newer we can use the option ProxyJump to transfer files using a proxy server.

The scp command syntax for proxy file transfers is:

# scp -o "ProxyJump <User>@<Proxy-Server>" <File-Name> <User>@<Destination-Server>:<Destination-Path>

For example:

# scp -o "ProxyJump [email protected]" dataFile.txt  [email protected]:/tmp
[email protected]'s password: 
[email protected]'s password: 
dataFile.txt

Where my proxy is 10.23.100.70 and the target server is 192.168.10.100.

Method 2: using scp with ProxyCommand

SCP uses ssh as its main protocol and hence we can use ssh options along with scp commands.

Setting up SSH to make your life easier

The syntax for using the ProxyCommand option with the scp command is:

# scp -o "ProxyCommand ssh <user>@<Proxy-Server> nc %h %p" <File-Name> <[email protected]<Destination-Server>:<Destination-Path>

Where:

  • % h will be replaced with the hostname to connect
  • % p will be replaced with port

When using the ProxyCommand parameter, make sure the nmap-ncat package is installed on the proxy server that provides the nc command, otherwise you will receive the following error message.

bash: nc: command not found
ssh_exchange_identification: Connection closed by remote host
lost connection

For example:

# scp -o "ProxyCommand ssh [email protected] nc %h %p" dataFile.txt  [email protected]:/tmp
[email protected]'s password: 
[email protected]'s password: 
dataFile.txt                                                                                     100%    5     0.0KB/s   00:00

Where my proxy is 10.23.100.70 and the target server is 192.168.10.100.

SSH through a proxy server

Method 1: pass ProxyCommand using ssh parameters

We can again use the ProxyCommand to ssh login to another server using a proxy server.

The syntax for SSH over a proxy will be as follows:

# ssh -o "ProxyCommand ssh [email protected]_or_IP_of_proxy nc %h %p" [email protected]_or_IP_of_server

Example: login as root user at 192.168.10.100 through proxy at 10.23.100.70 with proxy credentials for proxy_user

# ssh -o "ProxyCommand ssh [email protected] nc %h %p" [email protected]
[email protected]'s password: 
[email protected]'s password: 
Last login: Tue Dec 24 10:40:33 2019 from 10.23.100.70

# ip a l | grep eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    inet 192.168.10.100/24 brd 192.168.1.255 scope global eth0

If the nc command is not installed on the proxy server, or you do not have proxy login credentials, but a proxy service such as squid is running on the proxy server that will accept SSH connections, you can use the following command.

Please note that this method requires you to have the nc command installed on your local / client system.

# ssh -o "ProxyCommand nc --proxy hostname_or_IP_of_proxy:proxy_service_port --proxy-type http %h %p" [email protected]_or_IP_of_server

For example, to log in as root on 192.168.10.100 through a proxy service listening on port 3128 on 10.23.100.70.

The proxy service does not require any credentials.

# ssh -o "ProxyCommand nc --proxy 10.23.100.70:3128 --proxy-type http %h %p" [email protected]
[email protected]'s password: 
Last login: Tue Dec 24 10:40:46 2019 from 10.23.100.70

# ip a l | grep eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    inet 192.168.10.100/24 brd 192.168.1.255 scope global eth0

Method 2: Using an ssh client config file

We discussed in detail the SSH client config file

🐧 How to check the configuration of the OpenSSH client

🐧 How to use SSH configuration for each Linux host

So instead of providing all the options as input arguments for SSH, we can also use the SSH client config file.

Edit the ~ / .ssh / config file as shown below:

# vim ~/.ssh/config 
...
Host <nickname>
HostName <hostname_of_server>
User <user_on_server>
ProxyCommand ssh <user_on_server>@<proxy_server> nc %h %p

If this file already has content, you will need to add the above to the end of the file.

Where:

  • : Sets the alias for the target server.
  • : sets the real name of the remote server / host
  • : the real user that exists on the target server
  • : IP or hostname of the proxy server
  • % h will be replaced with the hostname to connect
  • % p will be replaced with port

Then you can use SSH with an additional verbose parameter to check the configuration

# ssh -vvv <target_server>

Conclusion

In this tutorial, we learned about the various methods to connect to a Linux server over SSH using another proxy or transfer files using SCP through a dproxy server or jump host.

You can use ProxyCommand or ProxyJump with ssh and scp respectively with ssh through any proxy service like squid or any other proxy.

Sidebar