ProxyJump

This is the easiest (new) way:

Host 10.*
    ProxyJump [email protected]:2222

Using ProxyCommand

Replace your.bastion.tld with your bastion server and set your bastion username in the ProxyCommand:

Host bastion
  Hostname your.bastion.tld
  ForwardAgent yes

Host 10.10.*
  ProxyCommand ssh <your-username>@bastion -W %h:%p

example

To login with user devops to server 10.10.3.4:

$ ssh -l devops 10.10.3.4

or

$ ssh [email protected]

SSH sockets

To speed up more when using the bastion host things this can be added at the top of the ~/.ssh/config file:

  ControlPath ~/.ssh/sockets/%[email protected]%h:%p
  ControlMaster auto
  ControlPersist 10m

You need to create the sockets dir: mkdir ~/.ssh/sockets

Or you could add it per bastion configuration:

Host bastion
  Hostname your.bastion.tld
  ForwardAgent yes
  ControlPath ~/.ssh/sockets/%[email protected]%h:%p
  ControlMaster auto
  ControlPersist 10m
  • The ControlPath entry specifies where to store the “control socket” for the multiplexed connections. In this case, %r refers to the remote login name, %h refers to the target host name, and %p refers to the destination port.

  • The ControlMaster setting is what activates multiplexing. With the auto setting, SSH will try to use a master connection if one exists, but if one doesn’t exist it will create a new one

  • The ControlPersist setting keeps the master connection alive for the specified period of time after it has remained idle (no connections). After that time, the master connection will be closed. In this example, we’ve specified that the master connection should remain open for 10 minutes after becoming idle. Subsequent SSH sessions made while the master connection is open will leverage the master connection and will reset the idle timer.

Check the status of multiplexing

Use the -O <option>:

$ ssh -O check [email protected]
Master running (pid=32015)

To stop multiplexed connections:

$ ssh -O stop [email protected]

To exit and remove the control socket besides terminating all existing connections:

$ ssh -O exit [email protected]