Best SSH tip of the year

Why didn’t anyone tell me about transparent multi-hop SSH before?

We have production servers that are not directly accessible through the Internet with SSH. To access the server, you have to first log into a proxy host and from there you can ssh to the actual host. The production servers are not even in a domain that would be resolved through public DNS.

This is of course very secure and all, but makes it difficult to locally run scripts that access the production host. But, ProxyCommand to the rescue!

Let’s say our servers are located at something.foobar.mgmt and our proxy host is at Now, edit your ~/.ssh/config file and add this:

Host *.foobar.mgmt
ProxyCommand ssh -A -W %h:%p

After adding these two lines, you can directly do ssh something.foobar.mgmt and SSH will transparently proxy your connection through the other host.

And if that’s not enough, scp and sftp will also work straight away using the same configuration.

Thanks, Ari!

Written by

Web developer, consultant, and a father of two.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store