Task #7601

Setup an SSH jump host

Added by Nico Schottelius over 1 year ago. Updated 6 months ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
PM Check date:


  • Authenticated against our ldap
  • Allows user to connect to our IPv6 networks

The ways for users to use it:

  • via ProxyCommand (some might be able to use that)

I've setup this some time ago and it basically needs a restriction on not having a shell.
Ping me before starting on this - I've a 95% solution already.



Updated by Timothée Floure over 1 year ago

  • Status changed from New to Seen

Updated by Nico Schottelius over 1 year ago

Proxycommand w/ windows exists in putty and usually uses plink - more details soon.


Updated by Timothée Floure about 1 year ago

Nico Schottelius please dump anything you want to say on the subject on this issue. I'll do without next time I go over this issue :-)


Updated by Nico Schottelius about 1 year ago

Very easy:

  • ssh config ("MatchUser != root") disallowing all commands
  • configuring the OS or PAM to authenticate against ldap (subtree of dc=ungleich,dc=ch)
  • Basically disallowing shell
  • nft rules to allow to jump to 2a0a:e5c0::/29 and 2a09:2940::/29

So from the outside/black box test:

  • ssh -w in ~/.ssh/config with our jump host should work
  • ssh user@jumphost should not work / close the shell

Updated by Timothée Floure 6 months ago

  • Assignee deleted (Timothée Floure)

Also available in: Atom PDF