A
Arun's Blog
← Back to all posts

SSH Multi-Hopping for Advanced Network Navigation

SSHNetworkingSecurity
TL;DR

SSH multi-hopping (tunneling) lets you connect through intermediate hosts to reach a final destination. Use ssh -f user@jumphost -L local_port:target_ip:22 -N to create a tunnel, then ssh user@localhost -p local_port to connect through it. Useful for bypassing firewalls and accessing segmented networks securely.

Introduction

SSH multi-hopping, also known as SSH tunneling through multiple hosts, is a technique that involves creating an SSH connection through one or more intermediate hosts before reaching the final destination. This approach is often used when direct SSH access to the final destination is not possible due to network restrictions, security policies, or other reasons.

How It Works

  1. Initial Connection - You start by SSH-ing into the first host (the "jump host")
  2. Tunneling Through Intermediate Hosts - From the first host, you SSH into the next host in the chain until you reach your destination
  3. End-to-End Encryption - Each step is encrypted by SSH, protecting your data through each host

Benefits

  1. Enhanced Security - Each hop is encrypted, making interception more difficult
  2. Bypass Network Restrictions - Connect to hosts not directly accessible from your network
  3. Simplified Access Management - Limit direct SSH access to a few jump hosts
  4. Privacy and Anonymity - Multiple hops make connection tracing more difficult
Important

The security of your tunnel is only as strong as the weakest host in the chain. Ensure all intermediate hosts are properly secured and hardened.

Use Cases

  • Accessing servers in a private network from an external network
  • Bypassing firewalls or NAT (Network Address Translation)
  • Managing multiple layers of a segmented network architecture

Creating SSH Keys

Windows (OpenSSH)

  1. Open Command Prompt or PowerShell
  2. Run: ssh-keygen
  3. Press Enter to accept the default location (~/.ssh/id_rsa)
  4. Keys are created: id_rsa (private) and id_rsa.pub (public)
Pro Tip

For Windows 10, if OpenSSH isn't installed, go to Apps & Features > Optional Features and add "OpenSSH Client".

Mac/Linux

  1. Open Terminal
  2. Run: ssh-keygen -b 4096 -t rsa
  3. Enter a passphrase when prompted
  4. View public key: cat ~/.ssh/id_rsa.pub

Copying Public Key to Host

The public key must be added to ~/.ssh/authorized_keys on the remote host:

# Create .ssh directory if missing
mkdir ~/.ssh
chmod 700 ~/.ssh

# Create/edit authorized_keys
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

# Add your public key to the file

Multi-Hop Command Syntax

ssh -f user@host -L port:localhost:port -N
  • -f - Run SSH in the background
  • -L port:localhost:port - Port forwarding (local:remote_target:remote_port)
  • -N - No remote commands (just forwarding)

Example

Scenario

Jump box at 54.226.228.103 (public). Target server at 10.0.131.170 (private, only accessible from jump box).

Step 1: Create the Tunnel

ssh -f user@54.226.228.103 -L 5000:10.0.131.170:22 -N

This creates a tunnel where localhost:5000 forwards to 10.0.131.170:22 through the jump box.

Step 2: Connect Through the Tunnel

ssh user@localhost -p 5000

Now you're connected to 10.0.131.170 via the encrypted tunnel!

Troubleshooting

  • Connection refused on local port - Verify the tunnel is running with ps aux | grep ssh. The first SSH command may have failed.
  • Permission denied (publickey) - Ensure your public key is in authorized_keys on the jump host with correct permissions (600).
  • Address already in use - The local port is taken. Choose a different port (e.g., 5001 instead of 5000).
  • Connection timed out - Check that the jump host can reach the target. Verify firewall rules allow port 22.
  • Host key verification failed - The host's key has changed. Remove the old key from ~/.ssh/known_hosts if expected.
  • Tunnel drops after inactivity - Add ServerAliveInterval 60 to your ~/.ssh/config to send keepalive packets.

Conclusion

SSH multi-hopping is a powerful technique for network administrators and those needing secure access through multiple network layers. It requires careful planning and understanding of the network architecture to implement effectively, but provides a secure way to access segmented networks.