Need help with ssh-chain?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

123 Stars 5 Forks BSD 3-Clause "New" or "Revised" License 18 Commits 0 Opened issues

Services available


Need anything else?

Contributors list

# 50,847
14 commits
# 42,693
2 commits


ssh-chain - ssh via a chain of intermediary hosts


This functionality is built into OpenSSH via the -J option as of version 7.3, therefore this tool will no longer be maintained.


Copy the ssh-chain script to somewhere that's in your path. Append the following to ~/.ssh/config or /etc/ssh/ssh_config:

# This should be the last entry
Host *^*
ProxyCommand ssh-chain %h %p

and you're done.


ssh-chain can act as a wrapper to ssh in order to avoid filling your known_hosts file with garbage - just run ssh-chain instead of ssh.

The simple use case is this:

ssh final.example^second.example^first.example

The connection is built right to left, so you'll end up with a set of connections that looks like this:

you -> first.example -> second.example -> final.example

This will also work with scp/sftp and hopefully any other tool that invokes ssh as a backend (e.g. rsync, git, svn, etc.) and all the standard features such as port forwarding should work.


Sometimes you'll have need to specify a username or port for an intermediary host. Since ssh will normally consume these, different (and sort of weird) syntax is used. Ports are specified by appending an underscore (e.g. foo.example_2222) and usernames use a plus instead of an at symbol (e.g. jdoe+foo.example). The far left host still needs to be specified using an at symbol since this doesn't get fed to the ProxyCommand. Example:

[email protected]^johnd+second.example2222^john+first.example443


To make host-specific options for hosts other than the first one in the chain work, you need to change lines like this

Host *.foo.example bar.example
User john
Port 2222


Host *.foo.example *.foo.example^* bar.example bar.example^*
User john
Port 2222


It's preferable to use OpenSSH 5.4 or newer with ssh-chain. 'netcat mode' (-W) was added then and this is faster then exec'ing netcat on the remote host. ssh-chain auto-detects if -W is available and will remote exec netcat otherwise.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.