"~C" will drop you into the SSH command line, allowing you to, among other things, effect port forwarding
-L8080:localhost:443
But for some reason this has been disabled by default in more recent ssh configurations... to ensure its available
-o EnableEscapeCommandline=yes
EnableEscapeCommandline yes
Also EnableEscapeCommandline fortunately only affects `~C` - the all-important `~.` to kill a hung SSH session still works with it disabled.
Goes over similar content as TFA, in perhaps a little more depth. Indispensable sysadmin knowledge.
ssh -J user1@bastion1,user2@bastion2 targetuser@targethost
It is also nice that it works recursively, so I can logically structure my rules so that the one for my regular targets say to use bastion1, then the rule for bastion1 says to go via bastion 2, etc.
I find this easier to reason about and maintain rather than juggling a bunch of these multi-step rules.
Support was added to OpenSSH about a decade ago? Even on a low moving Linux distro like Debian/LTS everyone should have support by now.
Are you using SSH key auth or password authenticating three times when you do this?
The final target is a pre-elliptic curve OpenSSH server, so legacy is enabled. I could probably have removed that for clarity.
C:\Users\me\>ssh -J me@bhost1,me@bhost2 -o KexAlgorithms=diffie-hellman-group14-sha1 -o HostKeyAlgorithms=ssh-rsa -o MACs=hmac-sha1 oracle@target
Enter passphrase for key 'C:\Users\me/.ssh/id_ed25519':
me@host1's password:
Enter passphrase for key 'C:\Users\me/.ssh/id_ed25519':
me@host2's password:
oracle@target's password:
Last login: Wed Jun 24 13:29:55 2026 from bhost2
The socks proxy support can also deal with bad web filtering and privacy issues on public wifi networks (though nowadays if you're ssh'ing to a cloud IP, you'll get lots of "bot" restrictions).
I need VPN to get into some internal resources via SSH, but there are lots of external/public/AWS resources I also need to access, and the full VPN adds too much overhead and fragility for those.
Using the available split VPN, I can point a browser instance at a localhost SOCKS proxy port to relay over SSH + VPN for other web resources I need to access internally.
Unfortunately, Firefox proxy config rules are sort of backwards for my needs. I want to say "only use proxy for these 3 domains" whereas it wants to use the proxy by default and only allow me to bypass specific domains.
It's amazing how lightweight this method actually is. I have managed to connect hundreds of devices using a single EC2 nano instance.
Particularly, you can use name patterns to apply the same rule broadly, assuming you have some systematic naming scheme for your eventual target devices.
Some pages have a nice up-front synopsis of flags, others put them in a wall of text. Browsing the former can supplant Google, /\b-x while paging is helpful for the latter.
Why is that?
Can’t I just open up a harness and prompt “Teach me how to do X?”
So, if you use SSH tunneling to forward a port from localhost to a remote, then Docker unwittingly pushes to a remote. This is super useful "off the grid" with robotics/embedded applications where you don't want to bother with a registry and a good Internet connection.
Example, docker pussh: https://github.com/psviderski/unregistry
```/etc/docker/daemon.json
```[1] https://docs.docker.com/reference/cli/dockerd/#insecure-regi...
i set it up a few years ago for my homelab