OpenSSH using stepstones

You might be working in an environment where you always ssh from your machine to the middle machine and then connect to the destination machine. What a waste of time, lets see how you could automate it. The middle machine is frequently referred to as stepstone host.


  • A workstation. In this example, the hostname is workstation.
  • A stepstone machine, the machine in the middel. The hostname is stepstone in this example.
  • The command nc (netcat) installed on the stepstone.
  • A destination machine, likely a server or your other workstation. (at work for example.) The hostname is destination in this example.

Implementing it

On your workstation, add this sniplet to ~/.ssh/config

Host destination
ServerAliveInterval 60
ProxyCommand ssh stepstone nc -w 180 %h %p

Replace destination with the machine your will eventually will connect to. Replace stepstone with the machine that is in the middle. Normally, you always login to that box first, then continue. the -w 180 and ServerAliveInterval 60 are hints that Peter S. has given, see comments below.

After you have altered your ~./ssh/config go ahead and try to connect directly to your destination machine.

workstation $ ssh destination
[email protected]'s password:
[email protected]'s password:
destination $

Wow your automated it! The only thing is these stupid passwords. Check out how to implement ssh-keys into your session and how to distribute keys. This is not required, but after a few days of password typing, you will want to setup ssh-keys properly.


Here is a sniplet of a more complicated configuration:

ServerAliveInterval 60

Host stepstone
User myotherusername

Host 192.168.1.*
User yourusername
Port 2222
ProxyCommand ssh stepstone nc -w 180 %h %p

Setting values without specifying a host, makes that value count for every host. The ServerAliveInterval is set for every host. If I connect to stepstone, I will use the username myotherusername. In the bottom declaration a * is used. This implies that all machines in the network will be using this part of the configuration. When logging in to a machine in the network, then you will use the username yourusername.
You can do many tricks with openssh, check out the manpage of ssh for more information.