# SSH Jump Host & Bastion Chaining Tempest's **Jump Host** feature is a GUI equivalent of OpenSSH's `ProxyJump` — connect to a private server through one or many SSH bastions, with each hop authenticated independently and tunneled over a `direct-tcpip` channel (no cleartext exposure on the bastion). Use it whenever your target server isn't directly reachable: production hosts behind a corporate bastion, lab machines behind a VPN gateway, IoT devices behind a remote development box. ## Single jump host 1. Add the **bastion** as a normal SSH connection in Tempest. Save it. 2. Add the **target** server. 3. In the target's edit form, set **Jump Host** to your bastion. 4. Save and connect. Tempest authenticates to the bastion first, opens an SSH `direct-tcpip` tunnel from the bastion to your target, and runs the SSH handshake with your target through that tunnel — exactly like `ssh -J bastion target`. ## Recursive chains (jump → jump → target) Set the bastion's **own** Jump Host to a higher-level bastion. Tempest walks the chain: ``` Tempest → bastion-1 → bastion-2 → target ``` Each hop: * Has its own credentials (password, key, cert, agent — independently configured). * Verifies its own host key fingerprint with you the first time. * Reports per-hop status messages in the SSH terminal as the connection builds. There's no built-in chain length limit. Common patterns: 2 hops (corporate edge → app cluster), 3 hops (corporate edge → cluster bastion → namespace pod). ## How it differs from OpenSSH `ProxyJump` | Feature | OpenSSH `-J` / `ProxyJump` | Tempest Jump Host | | ------------------------------- | -------------------------- | -------------------------------- | | Tunneling | `direct-tcpip` channel | Same | | Per-hop auth method | Reads your `~/.ssh/config` | First-class form fields per host | | Per-hop credentials in keychain | Manual | Tempest Keychain | | Recursive chains | Yes (with config) | Yes (UI-driven) | | GUI host-key verification | No | Yes — fingerprint dialog per hop | ## Pro feature Jump host chaining is part of **Tempest Pro**. ## Combine with proxy commands A jump host's *own* connection can also use a Proxy Command (e.g., `cloudflared access ssh`, `aws ssm start-session`). This lets you compose, for example: ``` Tempest → cloudflared tunnel → corporate-bastion → prod-target ``` The first hop reaches the bastion through Cloudflare Access; the second hop tunnels to the target via standard SSH `direct-tcpip`. See [SSH Client for Teleport, Cloudflare Access, AWS SSM, GCP IAP & Tailscale](/connect-to-servers/ssh-client-for-teleport-cloudflare-access-aws-ssm-gcp-iap-and-tailscale.md) for proxy-command setup. ## Troubleshooting * **"Connection refused" to the target**: the bastion might not have a route to the target. SSH into the bastion first and verify with `nc -zv target 22`. * **Host-key fingerprint dialog appears every connect**: make sure you accept the fingerprint, not just dismiss the dialog. Tempest stores it in the host's `fingerprint_v2` field. * **First hop authenticates, second hop hangs**: check if the bastion sshd allows `direct-tcpip` (`AllowTcpForwarding yes`). ## See also * [SSH Port Forwarding](/connect-to-servers/ssh-port-forwarding.md) — local / remote / dynamic forwards through your jump chain * [SSH Client for Teleport, Cloudflare Access, AWS SSM, GCP IAP & Tailscale](/connect-to-servers/ssh-client-for-teleport-cloudflare-access-aws-ssm-gcp-iap-and-tailscale.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.gotempest.app/connect-to-servers/ssh-jump-host-bastion-chaining.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.