Suppose that you need to reach a node that is not directly reachable (not on the internet, or other reasons) but that you can reach another bastion node in front. There is no need to each time ssh into that bastion host and then reconnect to the second node. ssh_config has a nice ProxyCommand feature for this , so here is an example of ~/.ssh/config :
Host bastion Hostname bastion.yourdomain.com ForwardAgent yes Host hidden Hostname IP.or.FQDN.known.by.bastion ProxyCommand ssh bastion -W %h:%p 2>/dev/null
You can now directly , from your laptop/workstation, use ssh to directly land in the "hidden" machine, without a need for a shell on the bastion host:
ssh hidden hostname hidden.yourdomain.com
This works also for sftp/scp to directly copying to that node.
Examples
To access CentOS CI infra you would need something like this in your .ssh/config ( and remember to chmod 600 the file ):
Host jump.ci Hostname jump.ci.centos.org User <your_ci_username> ProxyCommand none ForwardAgent yes GSSAPIAuthentication no Host *.ci.centos.org ProxyCommand ssh jump.ci -W %h:%p ForwardAgent yes GSSAPIAuthentication no
once this is added in, you should be able to ssh to your project account 'ssh <your_project_name>@slave01.ci.centos.org' and do any work needed on that machine.