version
Log In
Sign Up

SSH Jump Server

shape
shape
shape
shape
shape
shape
shape
shape
SSH Jump server

SSH Jump Server

In recent times, there is an increasing need for organizations to give employees access to their IT facilities due to the ongoing Covid restrictions ( such as work from home )  in place and in other cases grant access to external parties like clients, vendors who want to troubleshoot and fix issues with the IT Infrastructure remotely.

More so, is the need for multiple manage SSH access to the company’s Linux servers, Routers, Switches, while meeting regulatory and security compliance. This need led to the emergence of the SSH Bastion host concept.

SSH Jump Server: What It Is, How to Set It Up, and How to Secure It

ssh bastion host, ssh jump server, ssh gateway

An SSH Jump Server is simply a single, hardened server that you “jump” through in order to access other servers or devices on the inner network sometimes called a SSH Jump host , or SSH Bastion host or  ssh gateway or a relay host, it’s simply a server that all of your users can log into and use as a relay server to connect to other Linux servers, Routers, Switches and more. Therefore, a Jump server is a server inside a secure zone, which can be accessed from a less secure zone. It is then possible to jump from this host to greater security zones.

In other words, it is an intermediary host or an SSH Jump server to a remote network, through which a connection can be made to another host in a dissimilar security zone, for example a demilitarized zone (DMZ2). In short it is intended to breach the gap between two security zones. This is done with the purpose of establishing a gateway to access something inside of the security zone, from the DMZ

The SSH Jump server bridges two dissimilar security zones and offers controlled and monitored access between them.

For users accessing your secure network over the internet, the Jump server provides a highly secured and monitored environment especially when it spans a private network and a DMZ with servers providing services to users on the internet.

Furthermore, a classic scenario is connecting from your desktop or laptop from inside your company’s internal network, which is highly secured with firewalls to a DMZ. In order to easily manage a server in a DMZ, you may access it via a bastion host.

Therefore, a bastion host is a server inside a secure zone, which can be accessed from a less secure zone. It is then possible to jump from this host to greater security zones. An example would be a high security zone inside a corporation. The policy guide states that this zone cannot be accessed directly from a normal user zone. Hence, in a DMZ off the firewall protecting this zone you have a jump host.

Connections are permitted to the ssh bastion host from the user zone, and access to the secure zone are permitted from the bastion host.

More often, there is a separate authentication method for the bastion host fortified with multi factor authentication, Single Sign On ( SSO ) , Radius  & more. 

Jump Server vs Bastion Host vs Jump Host — What’s the Difference?

The terms are used interchangeably and refer to the same concept. The distinction is mostly contextual:

  • Jump server or jump box — common in on-premises and enterprise environments
  • Bastion host — the preferred term in cloud environments, particularly AWS and Azure
  • Jump host — used in SSH configuration files and command-line documentation
  • SSH gateway or relay host — used when emphasizing the traffic-routing function

All four mean the same thing: a hardened intermediary server that controls SSH access to a private network.

How does ssh with jump server work?  

It is a secure intermediary server where all your system administrators would login in first via SSH before getting to access the remote devices such as Linux instance, Routers, Switches etc. The purpose of having the SSH bastion host  is to improve security and consolidate SSH user activities to a single point hence better security and accountability. SSH bastion host is also known by the name SSH Jump Box, SSH Jump Host & SSH Gateway.

Why You Need an SSH Jump Server

Reduce Your Attack Surface

Every server with port 22 open to the internet is a target for brute-force attacks, credential stuffing, and exploitation of SSH vulnerabilities. With a jump server, only one host is exposed. Internal servers are invisible to the internet entirely.

If a vulnerability is discovered in OpenSSH, you patch one server — the jump server — rather than every host in your fleet.

Centralized Access Control and Auditing

Without a jump server, SSH access is managed server by server: individual authorized_keys files, separate user accounts, no central view of who has access to what. Revoking a departed employee’s access means updating every server manually.

With a jump server, access control is centralized. You manage one entry point. Add a user, remove a user, change permissions — it applies across your infrastructure immediately. Every SSH session is logged in one place with a consistent audit trail.

Compliance: PCI DSS, NIST, ISO 27001

PCI DSS requires controlled, audited access to systems in the cardholder data environment. NIST 800-53 requires privileged access management and session logging. ISO 27001 requires access control and audit trails.

A jump server directly addresses all three by creating a single auditable access point with full session logs. Ezeelogin SSH jump server solution enhances enterprise security with features such as session recording, anomaly detection, and instant compliance reporting.

How to Setup SSH Jump Server? 

Bastion using OpenSSH – A basic ssh jump server with limited features and functionalities can be configured using OpenSSH packages that are available by default on most Linux distributions.

How do I connect to SSH Jump Server using OpenSSH?

In the example below, we will just use the basic ssh command line to proxy an ssh connection to the remote server via an intermediate jump server.

				
					ssh -J jumpserver remote_machine

If the -J option is not available use the -W option to pivot the connection through an intermediate jumpserver.

				
					ssh -o ProxyCommand="ssh -W %h:%p bastion.gateway.org"  remote.server.org

You can also use SSH client configuration file, instead of passing arguments via SSH.

Edit the ~/.ssh/config file :

				
					Host <nickname>
HostName <hostname_of_remote_server>
User <user_on_remote_server>
ProxyCommand ssh <user_on_remote_server>@<jumpserver> nc %h %p
<nickname> : Sets nickname for the target/remote server
<hostname_of_remote_sever> : Sets the real remote server/host name
<user_on_remote_server> : Real user who exists on target server
<bastion_host>: IP or the hostname` of the proxy server
%h will be the host name to connect
%p will be the port

Now you can SSH to the target/remote machine:.

				
					ssh -v <target/remote_server>

With the OpenSSH 7.3,  the easiest way to pass through hop through intermediate one or more jump hosts is using the ProxyJump directive ssh_config

				
					Host remote server
    HostName 192.168.0.177
    ProxyJump admin@jump-server.org:22
    User devops

Multiple bastion hosts can be chained as well

				
					Host remote server
    HostName 192.168.0.177
    ProxyJump admin@jump-server.org:22, admin@jump-server2.org:22
    User devops

SSH Agent Forwarding: Don’t Copy Private Keys to Your Jump Server

Here’s a mistake many engineers make when setting up jump servers for the first time: they copy their private key to the jump server so it can authenticate to internal hosts. This is wrong — if the jump server is compromised, the attacker gets your private key.

The correct approach is SSH agent forwarding. The -A flag lets the destination server authenticate using your local SSH agent — your private key never leaves your machine:

				
					ssh -A -J user@jumpserver user@destination

Or in your SSH config:

				
					Host internal-server
  HostName 192.168.1.10
  User devops
  ProxyJump jumpserver
  ForwardAgent yes

One important caveat: only enable ForwardAgent yes for jump servers you fully trust and control. Agent forwarding gives any root user on the intermediate server the ability to use your agent while your session is active.

Multi-Hop: Chaining Multiple Jump Servers

Some network architectures require passing through more than one jump server — for example, a DMZ jump server before a production network jump server. OpenSSH handles this with comma-separated hosts in the -J flag:

				
					ssh -J user@jumpserver1,user@jumpserver2 user@destination

Or in ~/.ssh/config:

				
					Host destination
  HostName 10.10.1.20
  User devops
  ProxyJump user@jumpserver1.example.com,user@jumpserver2.example.com

Each hop authenticates separately. SSH agent forwarding is especially valuable in multi-hop setups — without it, you’d need to copy keys to every intermediate host.

Setting Up an SSH Jump Server on AWS EC2

In AWS, the jump server pattern maps directly onto the VPC architecture. The standard setup:

  • One EC2 instance in a public subnet — this is your jump server. Its security group allows inbound port 22 from your IP only (not 0.0.0.0/0).
  • All other EC2 instances in private subnets — their security groups allow inbound port 22 only from the jump server’s security group ID, not from the internet.

Connect in a single command:

				
					ssh -J ec2-user@<jump-server-public-ip> ec2-user@<private-instance-ip>

 

Jump Server using Ezeelogin

        Ezeelogin is a much more powerful and advanced SSH Jumpserver software solution  and  can be deployed quickly on a Linux server.  It has powerful features that  makes managing hundreds of Linux devices and granting ssh access to these device a piece of cake. 

ssh jump server interface

                                                    SSH jump server interface

       Do refer to the article to  setup and configure a ssh bastion host quickly on your premise or on cloud.

Why do you need the Ezeeelogin SSH Jumpserver solution to manage SSH access? 

     The OpenSSH based jump server is clearly not enough to meet the modern day requirements  of an IT enterprise. The challenges for  the enterprise are constantly changing and dynamic . On day , it could be from maintaining security, granting ssh access to the users to designated server and that too for particular time and on another day it could be the security compliances that needs to be met at the time of a Linux servers infrastructure audit.

      The modern day  SSH  bastion host solutions are designed to address the challenges faced by an IT enterprise when it comes to  security and to meet various security compliances like PCI DSS, NIST, ISO 27001 and more.

Important features of ezeelogin SSH jump server

  • Identity and Access management (IAM)
  •  Privileged Access management (PAM)
  •  Role Based Access Control to delegate access to Linux servers and Network devices
  •  Two factor authentication methods  like Google Authenticator, DUO Security 2FA, & Yubikey in SSH
  •  Integrates with Windows Active Directory, OpenLDAP, Redhat IDM
  •  Supports SAML for  Single Sign On
  •  Support RADIUS Authentication to access network devices such as Routers and Switches
  •  Password Manager
  •  SSH key rotation
  •  Automated root password management

Importance of having a centralized  SSH Jumpserver

  1. Improved Security
  2.  Centralized Access
  3.  Streamlined Access Management
  4.  Compliance with Security Standards

How to Harden and Secure Your SSH Jump Server

A poorly secured jump server is worse than no jump server — it becomes a single high-value target with access to everything behind it. Hardening is not optional.     

To ensure maximum protection of your jumpserver, you should focus on the process of server security hardening. In simple terms, that means applying a combination of basic and advanced security measures to address vulnerabilities in your bastion host server and operating system to boost overall server security.

  1. Disable Interactive Sessions for Regular Users
  2. Enforce Key-Based Authentication, Disable Passwords
  3. Install Fail2Ban
  4. Enable Two-Factor Authentication
  5. Configure Firewall Rules

Find more details on how to secure your SSH Jump Server

OpenSSH Jump Server vs Ezeelogin: Which Should You Use?

          A manually configured OpenSSH jump server works, but it comes with real limitations at scale. Here it is

OpenSSH Jump Server 

Ezeelogin 

Only password or cert-based authentication 

Supports 2FA – Google Authenticator, Yubikey, and Duo 

Stores SSH Keys in plain text format  

The encrypted keys are stored in databases 

Uses default shells. No customization is possible. 

Uses custom shell – ezsh 

Can’t restrict command execution 

Command-Line Guard restricts the user from executing dangerous commands. 

Login works only for command line 

Bowser extension and SAML support enable autologin to web interfaces. 

Needs professional Linux administration skills 

Only a few mouse clicks are required. No server admin expertise is essential. 

Command execution on multiple servers requires separate ssh logins. 

Parallel shell enables simultaneous execution of commands across multiple servers. 

User activity session recording is possible only through agent software. 

No agent software is required for ssh session logging. 

Password Rest, Rotation, and login sharing are quite clumsy processes. 

Password management is automated. 

Single point of failure – you can’t access your servers if the jump server is down. 

Master-slave architecture with jump server switching options. 

Achieving security compliance is hard. 

Can easily fulfill security compliance requirements 

Permits access only for system users. 

Login for LDAP and Active Directory users is possible. 

 

When OpenSSH Is Enough

  • Small team (under 10 people)
  • Fewer than 20–30 servers
  • No compliance requirements
  • In-house Linux admin who can maintain the configuration

When You Need a Dedicated Solution

  • Growing team with frequent onboarding and offboarding
  • Hundreds of servers across multiple environments
  • Compliance requirements (PCI DSS, SOC 2, ISO 27001, HIPAA)
  • Need for session recording and audit trails
  • Multiple authentication methods (2FA, LDAP, SSO)
  • Non-technical stakeholders who need controlled access

Ezeelogin can be deployed on your own Linux server in under an hour. It converts your server into a fully featured SSH jump server with all enterprise controls built in — no separate agents, no manual log aggregation, no compliance headaches.

See Ezeelogin pricing → | Setup guide →

CONCLUSION

     IT Enterprises that use a SSH JumpServer solution in improving security of their critical IT asset and in meeting various mandatory security compliances  (which would otherwise prove very costly in case of a breach),  are more likely to succeed due to the improved operational efficiency, digital security, hence more successful business for the company’s end customers.

Frequently Asked Questions

1. What is the difference between a jump server and a bastion host?

    The terms describe the same thing. “Bastion host” is the preferred term in cloud environments like AWS and Azure. “Jump server” or “jump box” is more common in on-premises enterprise contexts. Both refer to a hardened intermediary server that controls SSH access to a private network.

2. Is a jump server the same as a VPN?

   No. A VPN grants broad network-level access once connected, you can reach most resources on the private network. A jump server grants specific SSH-level access, scoped per user, logged per session, and auditable per command. Most security-conscious organizations use both: VPN for general connectivity, jump server for privileged infrastructure access.

3. How do I connect to an SSH jump server?

   Use the -J flag in OpenSSH 7.3+: ssh -J user@jumpserver user@destination. For a permanent configuration, add a ProxyJump directive to your ~/.ssh/config file pointing to the jump server, then connect directly to the destination hostname.

4. Can I use a jump server with GitHub Actions or CI/CD pipelines?

   Yes. Add your deploy private key to GitHub Secrets, load it with the ssh-agent action, and define your jump server and destination in a ~/.ssh/config file using ProxyJump. Your pipeline connects to the jump server and forwards through to internal hosts without exposing those hosts publicly. Use a dedicated deploy key with least-privilege access, separate from human developer keys.

5. Does a jump server help with PCI DSS compliance?     

     Yes. PCI DSS Requirement 7 requires restricting access to system components to only those individuals whose job requires it. Requirement 10 requires logging all access to system components. A jump server centralizes both — all SSH access passes through one auditable point. Ezeelogin add session recording, automated access reviews, and formatted compliance reports.

6. What happens if my jump server goes down?

    With a self-managed OpenSSH jump server, it becomes a single point of failure if it’s down, no one can access the private network via SSH. This is a real risk. Ezeelogin supports master-slave architecture to enable failover and high availability.

Leave a Reply

Your email address will not be published. Required fields are marked *