An SSH bastion (or "jump host") is a single, hardened and monitored server that serves as the sole entry point for accessing other servers within a private network. Rather than exposing every server to the Internet, only the bastion is accessible from the outside.
Why Use a Bastion?
- Reduced attack surface: Instead of N exposed servers, you only have one to secure and monitor.
- Centralized auditing: All access goes through a single point, which greatly simplifies logging and auditing of connections.
- Simplified access management: You can manage access rights to the private network from a single place.
- No VPN needed: For simple SSH access, a bastion is often lighter and easier to maintain than a full VPN.
Diagram of an Architecture with a Bastion
Your workstation ---> Internet ---> [SSH Bastion] ---> Private network (Web servers, DBs, etc.)
(Key A) (Key A) (Key B)
The user authenticates to the bastion (with Key A), then from the bastion authenticates to the final server (with Key B).
Configuration
Step 1: The bastion server
Choose a machine (a small VM is often enough) and install a minimal Linux distribution. Apply security best practices:
- Regular updates.
- Fail2ban to counter brute-force attacks.
- UFW (or another firewall) to allow only the SSH port (22), and only from trusted IPs if possible.
- A hardened
/etc/ssh/sshd_configconfiguration (no root access, key-based authentication only, etc.).
Step 2: SSH client configuration (your machine)
The modern and recommended method is to use the ProxyJump directive in your ~/.ssh/config file. It is much simpler and more secure than older methods like agent forwarding.
Edit or create the ~/.ssh/config file:
# Connection to the bastion
Host bastion
HostName bastion.your-domain.com
User admin_bastion
IdentityFile ~/.ssh/id_rsa_bastion
# Connection to private servers via the bastion
Host private-server-*
HostName %h.lan # %h is replaced by what you type (e.g. private-server-1.lan)
User admin_server
IdentityFile ~/.ssh/id_rsa_private_server
ProxyJump bastion
Step 3: Transparent connection
Thanks to this configuration, you can now connect directly to your private server. OpenSSH will handle the intermediate connection through the bastion transparently.
ssh private-server-1That's it! You are connected to private-server-1 by going through bastion.
The
ProxyJump directive handles the connection end to end without exposing your final server's private key to the bastion, which is a major advantage over other methods.
Copying Files with scp
This configuration also works directly with scp:
scp my_file.txt private-server-1:~/-A)Avoid using agent forwarding (
ssh -A) through a bastion unless you have absolute trust in its security and its administrators. If the bastion is compromised, an attacker could use your agent's socket to connect to your private servers on your behalf. ProxyJump does not carry this risk.
Conclusion
Setting up an SSH bastion is one of the most effective measures for securing a network infrastructure. It is a fundamental step that considerably reduces risk. Thanks to OpenSSH's ProxyJump feature, using it has become transparent and more secure than ever.
Comments