Holmes Stacks
Career · June 4, 2026

Master SSH ProxyJump for Secure Multi-Hop Connections

This video teaches you how to securely connect to internal SSH hosts using ProxyJump to prevent exposing sensitive jump hosts.

What this guide covers

After this guide, you’ll be able to configure and use SSH ProxyJump to securely connect to internal SSH hosts through an intermediate bastion (jump) host, reducing exposure of sensitive infrastructure while maintaining simple access.

When to use it

  • Accessing internal servers behind a firewall through a bastion host without directly exposing them.
  • Managing SSH sessions in environments where multiple hops are required to reach the target server.
  • Securing enterprise SSH workflows by preventing direct login to jump hosts.
  • Automating SSH connections in scripts or tools that need multi-hop access.

The move, step by step

  1. Open or create your SSH config file at ~/.ssh/config.

  2. Define the bastion (jump) host entry with its hostname and user:

    Host bastion-host
  HostName bastion.example.com
  User ec2-user

  3. Define your internal host and specify the ProxyJump directive pointing to the bastion:

    Host internal-server
  HostName 10.0.0.5
  User ec2-user
  ProxyJump bastion-host

  4. Save the config file and set appropriate permissions:

    chmod 600 ~/.ssh/config

  5. Connect directly to the internal server using:

    ssh internal-server

    SSH will automatically route through bastion-host without exposing it in your commands.

  6. Optionally, for multi-hop beyond one jump, chain hosts separated by commas:

    ProxyJump bastion-host,second-jump

  7. Always verify connectivity and update host keys to avoid MITM alerts (ssh-keyscan helps for automation).

Example

Input: You want to ssh to internal-server at 10.0.0.5 via your bastion at bastion.example.com.

Your ~/.ssh/config contains:

Host bastion-host
  HostName bastion.example.com
  User ec2-user

Host internal-server
  HostName 10.0.0.5
  User ec2-user
  ProxyJump bastion-host

Command:

ssh internal-server

Expected output snippet:

ec2-user@internal-server's password:
Last login: Wed Jun  5 11:42:07 2024 from bastion.example.com
[ec2-user@internal-server ~]$

You connect transparently through the bastion without exposing the bastion in direct SSH commands or logs.

Common mistakes

  • Mistake: Using ProxyCommand with old syntax → Fix: Use ProxyJump directive for simpler, supported multi-hop chaining (OpenSSH 7.3+).
  • Mistake: Not matching Host aliases consistently → Fix: Use clear alias names and ensure they match between ProxyJump and Host.
  • Mistake: Leaving ~/.ssh/config world-readable → Fix: Set permissions to 600 to keep SSH config private.
  • Mistake: Directly SSH-ing to bastion hosts from external networks → Fix: Restrict bastion access by IP and use ProxyJump for internal host access.
  • Mistake: Forgetting to update SSH keys for bastion or internal servers → Fix: Regularly verify fingerprint with ssh-keyscan to avoid man-in-the-middle risks.

Next step

Update your SSH config today by adding a ProxyJump block for one internal host you access frequently. Test the connection and confirm it routes properly. Then come back and try the next move from the video.

Your one action today

Pick the smallest version of this guide and try it in your tool of choice in the next 20 minutes.

Free download
Get the AI Career Starter Kit — 25 ChatGPT prompts + a 12-month plan
Click to get it →
Go deeper
AI Career Stack Starter Kit — $39
75 prompts + resume system + cloud roadmap + Notion template

Get the next AI/career guide in your inbox

One short, practical guide on AI tools, cloud, and the modern career stack. No fluff.

Related guides