Jump host

The jump host is the gateway to a separate security zone like a private subnet inside a VPC.

The jump host has authorized_keys of the users but not the private key which is authorized on the target system.

The user needs 2 ssh private keys - one for the jump host and the EC2 provisioned one for the target. ( ssh-add ~/.ssh/aws-key ).

Then:

ssh -J jumphost.domain.com  ec2user@172.16.0.23

HTTP Proxy

In order to access web servers in a private subnet, the ssh agent can act as a SOCKS5 Proxy on localhost and forward the the traffic through the jump host:

ssh -fqND 12000 jumphost.domain.com # background
ssh -ND   12000 jumphost.domain.com # foreground

SSH Tunnel to Cassandra

One end of the tunnel is listening on localhost and the other end is connected to cassandra from the jumphost:

ssh -NL 127.0.0.1:9042:cassandra.intern.com:9042 user@jumphost.extern.com

SSH Tunnel with Jump to the target host

One end of the tunnel is listening on localhost and the other end is connected at the target host via the jumphost:

ssh -vNL 127.0.0.1:3307:db.host.intern:3306 -o ProxyCommand='ssh -W %h:%p user@jumphost.extern.de' ec2-user@10.0.0.1