<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Curious about how StrongDM works? 🤔 Learn more here!

Search
Close icon
Search bar icon

SSH ProxyJump Explained (and a Better Alternative)

See StrongDM in action →
Download Your Observability Guide (PDF)
SSH ProxyJump Explained (and a Better Alternative)

Contents

Secure Access Made Simple

Built for Security. Loved by Devs.

  • Free Trial — No Credit Card Needed
  • Full Access to All Features
  • Trusted by the Fortune 100, early startups, and everyone in between

SSH ProxyJump lets you hop securely across multiple servers using bastion hosts. It’s cleaner than the older ProxyCommand, perfect for dev environments, and helpful when firewalls block direct access to production systems.

But ProxyJump isn’t without its limits—manual SSH key distribution, lack of audit trails, and no support for just-in-time (JIT) access can make it risky at scale. As teams grow and infrastructure sprawls across cloud and on-prem, these manual methods become harder to manage and secure.

Modern access solutions go further. They offer centralized control, ephemeral credentials, role-based access, and full session logging—features designed for compliance, scalability, and security. If you're relying solely on ProxyJump, it might be time to reassess.

What Is SSH ProxyJump?

SSH ProxyJump (the -J flag) is a more streamlined way to hop between SSH hosts using one or more bastion hosts. Instead of chaining multiple manual connections, ProxyJump creates a single end-to-end SSH session through the specified jump hosts. It was introduced in OpenSSH 7.5 to simplify access to servers that sit behind firewalls or live in private networks.

Here’s the basic syntax:

ssh -J user@bastion user@target

In this command:

  • user@bastion is the jump—or bastion—host that you route through.
  • user@target is your final destination, often a server without direct public access.

SSH ProxyJump is cleaner than older options like ProxyCommand, but still requires you to manage keys, permissions, and auditability manually, especially as your environment scales.

How SSH ProxyJump Works (with Multi-Hop & Config File Examples)

ProxyJump works by chaining connections between your SSH client and the target server using one or more bastion hosts. First, your client connects to the initial bastion. From there, each subsequent host forwards the connection until it reaches the destination.

Need to hop through multiple jump hosts? No problem. ProxyJump supports multi-hop SSH like this:

ssh -J user@jump1,user@jump2 user@target

But let’s be honest—sysadmins and engineers have better things to do than memorize and type long SSH commands every day. That’s where your SSH config file (~/.ssh/config) comes in handy.

Here’s how you can simplify access:

Host myserver
  HostName target.internal
  User user
  ProxyJump user@bastion.example.com
  IdentityFile ~/.ssh/id_rsa

Now instead of typing:

ssh -J user@bastion.example.com user@target.internal

You just run:

ssh myserver

Clean, fast, repeatable—and far less error-prone under pressure.

ProxyJump vs. SSH ProxyCommand: What’s the Difference?

Before OpenSSH introduced ProxyJump, engineers relied on ProxyCommand to route SSH traffic through intermediate hosts. It got the job done, but with more complexity under the hood.

ProxyCommand forwards standard input and output (stdin and stdout) through a bastion using tools like nc (netcat) or socat. It’s powerful and highly configurable, great for advanced setups or custom scripting. But it also comes with a downside: it’s harder to maintain, harder to read, and often harder to debug.

Here’s what a ProxyCommand setup looks like:

ssh -o ProxyCommand="ssh -W %h:%p user@bastion" user@target

In this example:

  • -W forwards your client’s input/output to %h (the target host) and %p (the target port).

You can also configure it in your SSH config file:

Host remote-host
  ProxyCommand ssh bastion-host -W %h:%p

Then came ProxyJump—a cleaner, more readable alternative:

  • Easier syntax
  • Built-in support in OpenSSH 7.5+
  • Lower barrier to use and maintain

With ProxyJump, that same connection becomes:

ssh: -J user@bastion user@target

Or in your ~/.ssh/config:Host remote-host
  ProxyJump user@bastion

Unless you need deep customization or scripting, ProxyJump wins on simplicity, readability, and day-to-day usability.

Common Use Cases for SSH ProxyJump

Not all scenarios require you to use SSH ProxyJump. However, several cases may benefit from this technique, including:

  • Accessing Cloud VMs: A best practice when dealing with virtual machines (VMs) is to place them in private subnets. This makes it hard to access them from the internet. ProxyJump can help in accessing these cloud environments safely by automating the chain movement from the bastion to the private server. 
  • Remote Administration: For security reasons, your organization’s servers might run on-premise or in a hybrid environment, so they aren’t directly accessible on the public internet. If you need to manage these servers, ProxyJump can help. It works by routing access to these services through a hardened jump host.
  • Accessing Development Environments: Again, due to security reasons, you might choose to keep sandbox or dev environments in a different network zone away from production. In this case, you can only reach these environments through a development bastion. ProxyJump makes this possible without using VPNs or going through multiple manual hops.
  • Emergency Troubleshooting: Outages and security incidents are part of production and development. When they happen, you may have trouble directly accessing them because of prior configurations or intentional blocks. ProxyJump can help you hop across the blocks and provide a secure entry point.
  • Compliance and Audit-Ready Access Controls: For organizations in regulated industries, such as finance and health, access control is vital for critical infrastructure and resources like data. Even more important is logging and monitoring for auditing purposes. With ProxyJump through a hardened bastion, you can ensure that access is funneled through a single entry point. This makes it easier to monitor and record all activities in line with compliance requirements.

Benefits and Limitations of Using ProxyJump

Like most tools, ProxyJump has both strengths and weaknesses. Understanding them is crucial, so you know what to anticipate. 

Benefits

  • Simpler Syntax: Compared to ProxyCommand, ProxyJump offers a simpler way to hop multiple connections because you don’t have to type a complicated command(s). 
  • Highly Efficient: ProxyJump reduces latency and saves computing resources because it creates an end-to-end encrypted connection over just one TCP port.
  • Enhanced Security: Its ability to create and maintain end-to-end encryption ensures that malicious attackers don’t have a gateway.
  • Cleaner Configuration Files: Because of its simple syntax, ProxyJump makes the ~/.ssh/config file more readable and maintainable.

Limitations

  • Static Configurations: This presents a problem in dynamic environments, as these hard-coded usernames and IPs don’t necessarily scale with ephemeral infrastructure.
  • Limited Auditing: With ProxyJump, you can’t tell who did what or accessed what and for how long because it doesn’t natively support per-user session logs. 
  • Complex Key Management: As teams grow, this can become messy because ProxyJump requires you to distribute and rotate SSH keys manually.
  • Limited Granular Access Controls: You can’t enforce fine-grained or just-in-time access with ProxyJump because anyone who can access the server does so at the system user level.

A Better Alternative to SSH ProxyJump: Introducing StrongDM

While ProxyJump is effective, its limitations can lead to security complications. To avoid this, you’re better off using a solution like StrongDM to access remote servers in a secure and less cumbersome way. The Zero Trust PAM solution works by:

  • Centralizing Access Management: You don’t have to manually manage SSH keys. StrongDM gives you role-based access controls, which saves time and effort.
  • Eliminating Bastion Management: With ProxyJump, you must occasionally maintain and secure bastion hosts. StrongDM eliminates this by providing a secure connection without the need for bastion hosts.
  • Logging and Auditing: StrongDM automatically logs every action performed on your servers, so you can tell who’s doing what, when they do it, and how they do it. This is not only essential for security, but also for auditing purposes.
  • Providing Role-Based Access Management: You don’t have to worry about forgetting to revoke permissions and privileges, potentially introducing vulnerabilities. StrongDM supports JIT access so users have access for only the time required to perform their roles. 
  • Being Infrastructure-Agnostic: StrongDM isn’t limited to just on-premise and hybrid environments — you can use it across cloud and air-gapped environments.

Here’s how ProxyJump compares against StrongDM:

Feature SSH ProxyJump StrongDM
Ease of Setup Manual Centralized UI & CLI
Key Management Manual Ephemeral
Access Granularity Limited Fine-grained RBAC
Logging & Auditing Minimal Full session recording
Multi-Hop Access Manual chaining Transparent routing
Approval Workflows
Zero Trust Alignment

When to Use StrongDM Over SSH ProxyJump

It’s clear that StrongDM outpaces ProxyJump because of its capabilities. Your organization can benefit from using StrongDM in the following scenarios: 

  • You Must Meet Strict Compliance Requirements: If your industry requires compliance with standards like SOC 2, HIPAA, or PCI DSS, StrongDM can help. Its automated records and audit logs cover all access events, so you’re always prepared for audit reporting.
  • Your Goal is Operational Efficiency: StrongDM can reduce the resources needed to manage bastion hosts and SSH keys.
  • You Deal With Dynamic Environments: Static environments are a thing of the past. Today, organizations manage infrastructure across cloud, on-premises, and hybrid environments. A tool like StrongDM that can manage security effectively in these environments is a must-have.
  • Security is Non-Negotiable: When it comes to security, you cannot afford to gamble. You need to secure your infrastructure on all fronts. StrongDM makes this possible through features such as detailed auditing and logging, JIT access, and session recording.

Ready to experience the power of StrongDM? Book a demo today.

StrongDM Team

About the Author

, Zero Trust Privileged Access Management (PAM), the StrongDM team is building and delivering a Zero Trust Privileged Access Management (PAM), which delivers unparalleled precision in dynamic privileged action control for any type of infrastructure. The frustration-free access stops unsanctioned actions while ensuring continuous compliance.

💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

How To Use SSH to Connect to a Remote Server (Windows, Linux & Mac)
How To Use SSH to Connect to a Remote Server (Windows, Linux & Mac)
Secure Shell (SSH) is one of the most effective ways to access and manage remote systems. This technology encrypts communications between the client and the server, enhancing system security and preventing unauthorized access. Another important benefit of SSH is its simplicity. This technology is relatively easy to use with various tools and clients, as we will demonstrate below. Plus, you can also use SSH for file transfers, running commands, and even tunneling. This guide explains how to use SSH to connect to remote servers across Windows, Linux, and MacOS environments.
Comparing SSH Keys: A Comprehensive Guide (RSA, DSA, ECDSA)
Comparing SSH Keys: A Comprehensive Guide (RSA, DSA, ECDSA)
This blog post dives into the world of SSH keys and highlights the different types available. By comparing these different SSH key types, we aim to provide insights that allow users to make informed decisions based on their specific security needs.
How to Configure SSH Certificate-Based Authentication (Tutorial)
How to Configure SSH Certificate-Based Authentication (Tutorial)
With an emphasis on the significance of certificate-based authentication, this article seeks to clarify SSH authentication. It gives you a thorough understanding to support the safety of your digital interactions by outlining the benefits of using this approach over traditional ones and covering the implementation steps.
SSH Tunnel and SSH Tunneling Explained
SSH Tunnel and SSH Tunneling (Port Forwarding) Explained
SSH tunneling, also known as SSH port forwarding, provides a secure method for client applications to communicate with remote servers. By encrypting traffic, SSH tunnels ensure data protection during transmission. This article explores the significance of SSH tunneling, its advantages, how it works, and its various use cases.
SSH into Docker Containers
How to SSH into Docker Containers [Tutorial]
In this article, we’ll cover a way to run console commands in Docker containers that will allow you to mimic the process of using SSH for the same purpose (and if you really need to, a way to gain true SSH access as well).