search
Ctrlk
Download

SSH Jump Host & Bastion Chaining

Connect to private servers behind one or many SSH bastions with Tempest's recursive jump-host chaining — like OpenSSH ProxyJump, with a GUI.

Tempest's Jump Host feature is a GUI equivalent of OpenSSH's ProxyJump — connect to a private server through one or many SSH bastions, with each hop authenticated independently and tunneled over a direct-tcpip channel (no cleartext exposure on the bastion).

Use it whenever your target server isn't directly reachable: production hosts behind a corporate bastion, lab machines behind a VPN gateway, IoT devices behind a remote development box.

hashtag
Single jump host

  1. Add the bastion as a normal SSH connection in Tempest. Save it.

  2. Add the target server.

  3. In the target's edit form, set Jump Host to your bastion.

  4. Save and connect.

Tempest authenticates to the bastion first, opens an SSH direct-tcpip tunnel from the bastion to your target, and runs the SSH handshake with your target through that tunnel — exactly like ssh -J bastion target.

hashtag
Recursive chains (jump → jump → target)

Set the bastion's own Jump Host to a higher-level bastion. Tempest walks the chain:

Tempest → bastion-1 → bastion-2 → target

Each hop:

  • Has its own credentials (password, key, cert, agent — independently configured).

  • Verifies its own host key fingerprint with you the first time.

  • Reports per-hop status messages in the SSH terminal as the connection builds.

There's no built-in chain length limit. Common patterns: 2 hops (corporate edge → app cluster), 3 hops (corporate edge → cluster bastion → namespace pod).

hashtag
How it differs from OpenSSH ProxyJump

Feature

OpenSSH -J / ProxyJump

Tempest Jump Host

Tunneling

direct-tcpip channel

Same

Per-hop auth method

Reads your ~/.ssh/config

First-class form fields per host

Per-hop credentials in keychain

Manual

Tempest Keychain

Recursive chains

Yes (with config)

Yes (UI-driven)

GUI host-key verification

No

Yes — fingerprint dialog per hop

hashtag
Pro feature

Jump host chaining is part of Tempest Pro.

hashtag
Combine with proxy commands

A jump host's own connection can also use a Proxy Command (e.g., cloudflared access ssh, aws ssm start-session). This lets you compose, for example:

The first hop reaches the bastion through Cloudflare Access; the second hop tunnels to the target via standard SSH direct-tcpip.

See SSH Client for Teleport, Cloudflare Access, AWS SSM, GCP IAP & Tailscale for proxy-command setup.

hashtag
Troubleshooting

  • "Connection refused" to the target: the bastion might not have a route to the target. SSH into the bastion first and verify with nc -zv target 22.

  • Host-key fingerprint dialog appears every connect: make sure you accept the fingerprint, not just dismiss the dialog. Tempest stores it in the host's fingerprint_v2 field.

  • First hop authenticates, second hop hangs: check if the bastion sshd allows direct-tcpip (AllowTcpForwarding yes).

hashtag
See also

PreviousSSH Client for Teleport, Cloudflare Access, AWS SSM, GCP IAP & TailscaleNextSSH Port Forwarding — Local, Remote & Dynamic SOCKS5

Last updated