SSH ProxyJump lets you hop securely across multiple servers using bastion hosts. It’s cleaner than the older ProxyCommand, perfect for dev environments, and helpful when firewalls block direct access to production systems.
But ProxyJump isn’t without its limits—manual SSH key distribution, lack of audit trails, and no support for just-in-time (JIT) access can make it risky at scale. As teams grow and infrastructure sprawls across cloud and on-prem, these manual methods become harder to manage and secure.
Modern access solutions go further. They offer centralized control, ephemeral credentials, role-based access, and full session logging—features designed for compliance, scalability, and security. If you're relying solely on ProxyJump, it might be time to reassess.
What Is SSH ProxyJump?
SSH ProxyJump (the -J flag) is a more streamlined way to hop between SSH hosts using one or more bastion hosts. Instead of chaining multiple manual connections, ProxyJump creates a single end-to-end SSH session through the specified jump hosts. It was introduced in OpenSSH 7.5 to simplify access to servers that sit behind firewalls or live in private networks.
Here’s the basic syntax:
ssh -J user@bastion user@target
In this command:
- user@bastion is the jump—or bastion—host that you route through.
- user@target is your final destination, often a server without direct public access.
SSH ProxyJump is cleaner than older options like ProxyCommand, but still requires you to manage keys, permissions, and auditability manually, especially as your environment scales.
How SSH ProxyJump Works (with Multi-Hop & Config File Examples)
ProxyJump works by chaining connections between your SSH client and the target server using one or more bastion hosts. First, your client connects to the initial bastion. From there, each subsequent host forwards the connection until it reaches the destination.
Need to hop through multiple jump hosts? No problem. ProxyJump supports multi-hop SSH like this:
ssh -J user@jump1,user@jump2 user@target
But let’s be honest—sysadmins and engineers have better things to do than memorize and type long SSH commands every day. That’s where your SSH config file (~/.ssh/config) comes in handy.
Here’s how you can simplify access:
Host myserver
HostName target.internal
User user
ProxyJump user@bastion.example.com
IdentityFile ~/.ssh/id_rsa
Now instead of typing:
ssh -J user@bastion.example.com user@target.internal
You just run:
ssh myserver
Clean, fast, repeatable—and far less error-prone under pressure.
ProxyJump vs. SSH ProxyCommand: What’s the Difference?
Before OpenSSH introduced ProxyJump, engineers relied on ProxyCommand to route SSH traffic through intermediate hosts. It got the job done, but with more complexity under the hood.
ProxyCommand forwards standard input and output (stdin and stdout) through a bastion using tools like nc (netcat) or socat. It’s powerful and highly configurable, great for advanced setups or custom scripting. But it also comes with a downside: it’s harder to maintain, harder to read, and often harder to debug.
Here’s what a ProxyCommand setup looks like:
ssh -o ProxyCommand="ssh -W %h:%p user@bastion" user@target
In this example:
- -W forwards your client’s input/output to %h (the target host) and %p (the target port).
You can also configure it in your SSH config file:
Host remote-host
ProxyCommand ssh bastion-host -W %h:%p
Then came ProxyJump—a cleaner, more readable alternative:
- Easier syntax
- Built-in support in OpenSSH 7.5+
- Lower barrier to use and maintain
With ProxyJump, that same connection becomes:
ssh: -J user@bastion user@target
Or in your ~/.ssh/config:Host remote-host
ProxyJump user@bastion
Unless you need deep customization or scripting, ProxyJump wins on simplicity, readability, and day-to-day usability.
Common Use Cases for SSH ProxyJump
Not all scenarios require you to use SSH ProxyJump. However, several cases may benefit from this technique, including:
- Accessing Cloud VMs: A best practice when dealing with virtual machines (VMs) is to place them in private subnets. This makes it hard to access them from the internet. ProxyJump can help in accessing these cloud environments safely by automating the chain movement from the bastion to the private server.
- Remote Administration: For security reasons, your organization’s servers might run on-premise or in a hybrid environment, so they aren’t directly accessible on the public internet. If you need to manage these servers, ProxyJump can help. It works by routing access to these services through a hardened jump host.
- Accessing Development Environments: Again, due to security reasons, you might choose to keep sandbox or dev environments in a different network zone away from production. In this case, you can only reach these environments through a development bastion. ProxyJump makes this possible without using VPNs or going through multiple manual hops.
- Emergency Troubleshooting: Outages and security incidents are part of production and development. When they happen, you may have trouble directly accessing them because of prior configurations or intentional blocks. ProxyJump can help you hop across the blocks and provide a secure entry point.
- Compliance and Audit-Ready Access Controls: For organizations in regulated industries, such as finance and health, access control is vital for critical infrastructure and resources like data. Even more important is logging and monitoring for auditing purposes. With ProxyJump through a hardened bastion, you can ensure that access is funneled through a single entry point. This makes it easier to monitor and record all activities in line with compliance requirements.
Benefits and Limitations of Using ProxyJump
Like most tools, ProxyJump has both strengths and weaknesses. Understanding them is crucial, so you know what to anticipate.
Benefits
- Simpler Syntax: Compared to ProxyCommand, ProxyJump offers a simpler way to hop multiple connections because you don’t have to type a complicated command(s).
- Highly Efficient: ProxyJump reduces latency and saves computing resources because it creates an end-to-end encrypted connection over just one TCP port.
- Enhanced Security: Its ability to create and maintain end-to-end encryption ensures that malicious attackers don’t have a gateway.
- Cleaner Configuration Files: Because of its simple syntax, ProxyJump makes the ~/.ssh/config file more readable and maintainable.
Limitations
- Static Configurations: This presents a problem in dynamic environments, as these hard-coded usernames and IPs don’t necessarily scale with ephemeral infrastructure.
- Limited Auditing: With ProxyJump, you can’t tell who did what or accessed what and for how long because it doesn’t natively support per-user session logs.
- Complex Key Management: As teams grow, this can become messy because ProxyJump requires you to distribute and rotate SSH keys manually.
- Limited Granular Access Controls: You can’t enforce fine-grained or just-in-time access with ProxyJump because anyone who can access the server does so at the system user level.
A Better Alternative to SSH ProxyJump: Introducing StrongDM
While ProxyJump is effective, its limitations can lead to security complications. To avoid this, you’re better off using a solution like StrongDM to access remote servers in a secure and less cumbersome way. The Zero Trust PAM solution works by:
- Centralizing Access Management: You don’t have to manually manage SSH keys. StrongDM gives you role-based access controls, which saves time and effort.
- Eliminating Bastion Management: With ProxyJump, you must occasionally maintain and secure bastion hosts. StrongDM eliminates this by providing a secure connection without the need for bastion hosts.
- Logging and Auditing: StrongDM automatically logs every action performed on your servers, so you can tell who’s doing what, when they do it, and how they do it. This is not only essential for security, but also for auditing purposes.
- Providing Role-Based Access Management: You don’t have to worry about forgetting to revoke permissions and privileges, potentially introducing vulnerabilities. StrongDM supports JIT access so users have access for only the time required to perform their roles.
- Being Infrastructure-Agnostic: StrongDM isn’t limited to just on-premise and hybrid environments — you can use it across cloud and air-gapped environments.
Here’s how ProxyJump compares against StrongDM:
| Feature |
SSH ProxyJump |
StrongDM |
| Ease of Setup |
Manual |
Centralized UI & CLI |
| Key Management |
Manual |
Ephemeral |
| Access Granularity |
Limited |
Fine-grained RBAC |
| Logging & Auditing |
Minimal |
Full session recording |
| Multi-Hop Access |
Manual chaining |
Transparent routing |
| Approval Workflows |
❌ |
✅ |
| Zero Trust Alignment |
❌ |
✅ |
When to Use StrongDM Over SSH ProxyJump
It’s clear that StrongDM outpaces ProxyJump because of its capabilities. Your organization can benefit from using StrongDM in the following scenarios:
- You Must Meet Strict Compliance Requirements: If your industry requires compliance with standards like SOC 2, HIPAA, or PCI DSS, StrongDM can help. Its automated records and audit logs cover all access events, so you’re always prepared for audit reporting.
- Your Goal is Operational Efficiency: StrongDM can reduce the resources needed to manage bastion hosts and SSH keys.
- You Deal With Dynamic Environments: Static environments are a thing of the past. Today, organizations manage infrastructure across cloud, on-premises, and hybrid environments. A tool like StrongDM that can manage security effectively in these environments is a must-have.
- Security is Non-Negotiable: When it comes to security, you cannot afford to gamble. You need to secure your infrastructure on all fronts. StrongDM makes this possible through features such as detailed auditing and logging, JIT access, and session recording.
Ready to experience the power of StrongDM? Book a demo today.
