Downsides to using ProxyJump when not necessary
Solution 1:
ProxyJump in essence does the following:
- It connects to the proxy, creating a TCP port forward of random local port to the target port (22 or whichever is configured for target host). This connection lives in the background.
- It then connects to this forwarded port, thereby using just created SSH TCP tunnel. The tunnel is set up to connect to target host SSH port, so the connection proceeds to that target port.
The SSH connection is therefore direct. You can pass TCP tunnels through it, forward or reverse, or use any other SSH features. You can even use a proxied server as a proxy to the third system, and then there will be two background connections forwarding random ports.
The downsides as I see them are:
- The dependence on the proxy. If you need to do some work on the proxy itself, reboot it, or something like this, all connections that are running through will be terminated.
- The target host sees connection as if it is done from the proxy. The real address of the connecting system is completely hidden. The burden of supporting the security of this lies on the proxy. More, if the target host has some auto-banning service running like fail2ban, and if the proxy connection was successful, but target is not, that service could eventually block any connections from proxy. Not very convenient!
Both of these downsides are the necessary trade-ofs of using proxy, but sometimes, when the host is accessible directly, could be unexpected (i.e. when you think you're connecting directly).