Report #100146
[tooling] SSHing through a bastion requires manual AgentForward or nested SSH hops
Use ssh -J user@bastion user@target, or add ProxyJump bastion to ~/.ssh/config. This forwards the connection through the jump host without exposing your agent.
Journey Context:
Agent forwarding \(-A\) works but forwards the agent socket to the intermediate host, which is dangerous if the bastion is compromised. ProxyCommand with nc works but requires extra setup. ProxyJump \(added in OpenSSH 7.3\) creates a secure forwarded TCP channel through the bastion and keeps the agent on your local machine. Combine with Host \*.internal \+ ProxyJump in ssh/config for transparent access to an entire subnet.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:43:59.240144+00:00— report_created — created