My favorite use of this is peer-to-peer transfer of Docker images. The Docker CLI only allows you to use registries authenticated with HTTPS but there's an exception where it allows HTTP transfers over localhost.
So, if you use SSH tunneling to forward a port from localhost to a remote, then Docker unwittingly pushes to a remote. This is super useful "off the grid" with robotics/embedded applications where you don't want to bother with a registry and a good Internet connection.
That's not quite true, you just need to add the `insecure-registries`[1] option with a list of either IP (or ip ranges) or hostnames that you want to allow without TLS.
Yes this is true. I should caveat that we distributed the tool among a team and we didn't want to ask them to all edit their daemon.json with an ever-expanding list of IP addresses.
It is surprising how many times I see this content (this version might be marked “Published: Jun 19, 2026” but I've definitely seen those exact diagrams before, starting at least a few years ago, and the same content around them in many tutorials before that) without it being updated to mention jump-hosts.
Support was added to OpenSSH about a decade ago? Even on a low moving Linux distro like Debian/LTS everyone should have support by now.
For me, this is always used via ProxyJump rules in my ~/.ssh/config
It is also nice that it works recursively, so I can logically structure my rules so that the one for my regular targets say to use bastion1, then the rule for bastion1 says to go via bastion 2, etc.
I find this easier to reason about and maintain rather than juggling a bunch of these multi-step rules.
If you don't have an agent running with an accessible key, then you will get three password prompts, with suggestions for any default keys.
The final target is a pre-elliptic curve OpenSSH server, so legacy is enabled. I could probably have removed that for clarity.
C:\Users\me\>ssh -J me@bhost1,me@bhost2 -o KexAlgorithms=diffie-hellman-group14-sha1 -o HostKeyAlgorithms=ssh-rsa -o MACs=hmac-sha1 oracle@target
Enter passphrase for key 'C:\Users\me/.ssh/id_ed25519':
me@host1's password:
Enter passphrase for key 'C:\Users\me/.ssh/id_ed25519':
me@host2's password:
oracle@target's password:
Last login: Wed Jun 24 13:29:55 2026 from bhost2
Because the jump mechanism works via use of TCP forwarding, each host authn step is talking "directly" to your client. Importantly, this means it still works without requiring "agent forwarding" for the connection you are making.
Learning how SSH port forwarding is great as a pseudo-vpn for everything from GUI-client database access to (in physical infra) access to web-admin tools for appliances.
The socks proxy support can also deal with bad web filtering and privacy issues on public wifi networks (though nowadays if you're ssh'ing to a cloud IP, you'll get lots of "bot" restrictions).
Yeah, I get use out of the SOCKS proxy mode in combination with a "split VPN" at work.
I need VPN to get into some internal resources via SSH, but there are lots of external/public/AWS resources I also need to access, and the full VPN adds too much overhead and fragility for those.
Using the available split VPN, I can point a browser instance at a localhost SOCKS proxy port to relay over SSH + VPN for other web resources I need to access internally.
Unfortunately, Firefox proxy config rules are sort of backwards for my needs. I want to say "only use proxy for these 3 domains" whereas it wants to use the proxy by default and only allow me to bypass specific domains.
In the past, I've used plugins to do just what you ask. FoxyProxy Standard did the trick (it looks like there's now at least another more standard "VPN" version, too). It looks like Firefox does have support for Native PAC files that'll also do the trick: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Pro...
If you have many different remote devices behind NATs or firewalls, a cool trick to access them all via EC2 server (or such) is to setup Remote Forwarding via UNIX socket on the server side, to devices' port 22. Preferably, UNIX socket filenames should start with a common prefix, so an SSH config can be written that will use ssh+socat in a ProxyCommand to establish the connection.
It's amazing how lightweight this method actually is. I have managed to connect hundreds of devices using a single EC2 nano instance.
I think the more modern ProxyJump rule is superior for this. Just let it manage the actual TCP forwarding for you automatically. It's just the normal "bastion host" concept.
Particularly, you can use name patterns to apply the same rule broadly, assuming you have some systematic naming scheme for your eventual target devices.
It is, because manuals are often not the best way to learn things. Most software manuals are reference manuals. SSH man page isn't too bad. I learned most of my SSH knowledge from it, but I'm not sure it's the best way to do it.
For me, the best way to learn a tool is for a quick example or two showing its utility, then practicing with those, reading the man as needed on specific flags. Google or bot ”how do x" ? Repeat : done
Some pages have a nice up-front synopsis of flags, others put them in a wall of text. Browsing the former can supplant Google, /\b-x while paging is helpful for the latter.
Weird.. I have almost this exact same "cheat sheet" printed out and stuck up on my whiteboard.. except it's slightly different. Only 4 panels instead of 6 and the panels don't have titles.
I know this is a solid "cool story bro" moment, but whatever hah
There's a asymmetry here that "-R" works both for reverse static and dynamic (using SOCKS protocol) forwarding, but "-D" is required for dynamic forwarding which "-L" cannot do.
I do this all the time, I have a skill/gem with instructions on how I want to receive info, how to format and so on. Really helps to go fast to get the point.
It goes like this:
---
As an expert tutorial creator for experienced engineers, you take the input the user request and make interactive tutorial. Default style is technology, tech is mac and linux. Default style is 20mins, but you ask for the timeline. Also do not forget to provide the cost of technologies used.
---
I personally do this, ask claude code to teach me about concepts I don't know about when it codes something, and only then I accept what it suggests to me
So, if you use SSH tunneling to forward a port from localhost to a remote, then Docker unwittingly pushes to a remote. This is super useful "off the grid" with robotics/embedded applications where you don't want to bother with a registry and a good Internet connection.
Example, docker pussh: https://github.com/psviderski/unregistry
```/etc/docker/daemon.json
```[1] https://docs.docker.com/reference/cli/dockerd/#insecure-regi...
i set it up a few years ago for my homelab
"~C" will drop you into the SSH command line, allowing you to, among other things, effect port forwarding
Learning that "~C" exists, and what you can do with it, has supercharged my use of SSH tunnels, which were already awesome on their own.But for some reason this has been disabled by default in more recent ssh configurations... to ensure its available
or, in your ~/.ssh/config (edit: formatting)Also EnableEscapeCommandline fortunately only affects `~C` - the all-important `~.` to kill a hung SSH session still works with it disabled.
Goes over similar content as TFA, in perhaps a little more depth. Indispensable sysadmin knowledge.
[0] https://github.com/sshuttle/sshuttle
https://www.openssh.org/releasenotes.html
Support was added to OpenSSH about a decade ago? Even on a low moving Linux distro like Debian/LTS everyone should have support by now.
It is also nice that it works recursively, so I can logically structure my rules so that the one for my regular targets say to use bastion1, then the rule for bastion1 says to go via bastion 2, etc.
I find this easier to reason about and maintain rather than juggling a bunch of these multi-step rules.
Are you using SSH key auth or password authenticating three times when you do this?
The final target is a pre-elliptic curve OpenSSH server, so legacy is enabled. I could probably have removed that for clarity.
That client is Microsoft's port of OpenSSH.Because the jump mechanism works via use of TCP forwarding, each host authn step is talking "directly" to your client. Importantly, this means it still works without requiring "agent forwarding" for the connection you are making.
The socks proxy support can also deal with bad web filtering and privacy issues on public wifi networks (though nowadays if you're ssh'ing to a cloud IP, you'll get lots of "bot" restrictions).
I need VPN to get into some internal resources via SSH, but there are lots of external/public/AWS resources I also need to access, and the full VPN adds too much overhead and fragility for those.
Using the available split VPN, I can point a browser instance at a localhost SOCKS proxy port to relay over SSH + VPN for other web resources I need to access internally.
Unfortunately, Firefox proxy config rules are sort of backwards for my needs. I want to say "only use proxy for these 3 domains" whereas it wants to use the proxy by default and only allow me to bypass specific domains.
It's amazing how lightweight this method actually is. I have managed to connect hundreds of devices using a single EC2 nano instance.
Particularly, you can use name patterns to apply the same rule broadly, assuming you have some systematic naming scheme for your eventual target devices.
Some pages have a nice up-front synopsis of flags, others put them in a wall of text. Browsing the former can supplant Google, /\b-x while paging is helpful for the latter.
I know this is a solid "cool story bro" moment, but whatever hah
Why is that?
Can’t I just open up a harness and prompt “Teach me how to do X?”