ProxyCommand
ProxyCommand is the least privilege way I am aware of to ssh to machines behind a bastion host. Agent forwarding would work, but continues to allow use of my keys for the duration of my session (vs. just once at initial login), which is more privilege than I wanted to give the bastion. I'd subscribe to Premium if you let me configure ProxyCommands.

Hi everyone,
Could you guys please provide the exact examples of the ProxyCommands that you use in your setups?
This will help to understand to the variety of cases and what to focus on first.
Thanks
51 comments
-
Anonymous commented
hi, currently, we use jump server as mandatory, some other terminals can support this function, and proxyCommand as follows:
ProxyCommand /usr/bin/ssh -W %h:%p -p 18080 uid@jump.sample
Is it supported now in latest version of termius? thanks
-
Anonymous commented
reminded of this by someone actually posting. realised i never posted mine. this is taken from my .ssh/config that i use on mac and linux machines (and much should also work on windows openssh although not the controlmasters stuff). It would be great to be able to just import the same .ssh/config into termius, but just to keep to the topic, and with real host/domains redacted:
(Am using ProxyJump now as simpler specialisation of ProxyCommand)
Host redacted-auth
Hostname auth.redacted.com
User rachel
IdentityFile ~/.ssh/id_rsa_redacted
ControlPath ~/.ssh/controlmasters/%r@%h:%p
ControlMaster auto
ControlPersist 10mthen for example:
Host redacted-live
HostName live.redacted.client.com
ProxyJump redacted-auth
ForwardAgent yesAllows to just ssh redacted-live, sftp redacted-live, etc. etc.
The jump box prompts for an authentication code. the controlmasters stuff keeps a connection to the jumpbox open so you don't have to enter that for every connection in a short timespan. accept that might be tricky in ios/ipados context, but would be a nice-to-have. the ProxyJump is the main thing.
-
Ysk commented
Host *
PKCS11Provider /usr/local/lib/kr-pkcs11.so
ProxyCommand /usr/local/bin/krssh %h %p
IdentityFile ~/.ssh/id_krypton
IdentityFile ~/.ssh/id_ed25519
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_ecdsa
IdentityFile ~/.ssh/id_dsa -
Marco Mans commented
Is it still planned that this feature is coming? We migrated all server to AWS and I now need to use a ProxyCommand to use SSM to access the machines... Would be nice if I could still use Termius!
-
Anonymous commented
ssh -t -o ProxyCommand='ssh -i ~/.ssh/id_rsa opc@public_ip_instance -W %h:%p %r ' -i ~/.ssh/id_rsa opc@private_ip_instance
-
Anonymous commented
ProxyCommand duoconnect -host=%h:%p -relay=https://<server>
-
Anonymous commented
Host * !***.***.***.*** (obscured for security reasons)
ProxyCommand nc -X 5 -x proxyserver_address.com:proxyserver_port %h %p -
Andrew commented
Is there any indication on when this might be implemented?
I need it for this - ProxyCommand cloudflared access ssh --hostname %h -
Anonymous commented
any update on this trend? need also to use ssh proxyCommand
-
Tim Malone commented
This now appears to be implemented by way of Host Chaining. Nice work guys!
-
Anonymous commented
ProxyCommand ssh proxyuser@proxyhost nc %h %p
-
Anonymous commented
Would go pro once implemented, absolutely useless in professional context without it as -any- professional setup uses ssh jump boxes instead of vpns nowdays to tunnel into shielded corporate boxes etc.
-
chris.welsh23@gmail.com commented
ProxyJump -q via an ssh config file
-
Heavoc commented
ProxyCommand ssh -W %h:%p bastion_host
-
Andrew P commented
Awesome that you are working on this... I have things in my config like:
ProxyCommand ssh proxyuser@proxyhost nc %h %p
ProxyCommand ssh proxyuser@proxyhost /usr/local/bin/ssh-proxy %h
-
Rene Diepstraten commented
Hi,
For example `ProxyCommand ssh -W %h:%p user@bastion.example.org”` to tunnel ssh sessions through the bastion host.
Newer openssh versions can do this by using `ProxyJump` by the way. -
dirk duellmann commented
similar here: I'd be using it to implement multi-hop connections via something like:
ProxyCommand ssh -K -Y jump.host.at /usr/bin/nc %h %p 2> /dev/null
If you want to make it really nice you could predicate the proxy execution on the current subnet:
Eg in my real setup I use for each host the sequence:
Match host nick1 !exec "at-work"
Hostname long.real.name1.at
ProxyCommand ssh -K -Y jump.host.at /usr/bin/nc %h %p 2> /dev/null
Host nick1
HostName long.real.name1.atwhere "at-work" is a one-line script matching the ip subnet against the set of subnets used by my workplace.
That way the proxy is only used when necessary.
-
Mark B. commented
I've been waiting for this so long.... Thanks for starting this!
ProxyCommand ssh -W %h:%p jumphost
-
Anonymous commented
My proxy command is "ProxyCommand /usr/bin/ssh examplehost /usr/bin/nc -N %h %p"
-
Anonymous commented
Thanks for starting this ! :-)
Here is what I'm using:
ProxyCommand ssh -k gwUser@gateway.host.domain /usr/bin/nc %h %p 2> /dev/null
Thanks,
cheers, andreas