SSH Jumpbox Access¶
This guide explains how to use the Synderys SSH jumpbox to reach internal servers. The jumpbox is a restricted gateway that lets you SSH to internal infrastructure through the VPN without having a shell on the firewall itself.
Before You Begin¶
You will need:
- A working VPN connection (see VPN Setup)
- An SSH key pair on your computer
- Your SSH public key uploaded to your Authentik profile
- Membership in the
jumpbox-usersgroup (ask your administrator)
Step 1: Generate an SSH Key (if you don't have one)¶
If you already have an SSH key, skip to Step 2.
Open Terminal and run:
ssh-keygen -t ed25519 -C "your.name@synderys.com"
Press Enter to accept the default location (~/.ssh/id_ed25519). Set a passphrase when prompted — this protects your key if your computer is compromised.
Your public key is now at ~/.ssh/id_ed25519.pub.
Open PowerShell and run:
ssh-keygen -t ed25519 -C "your.name@synderys.com"
Accept the default location and set a passphrase. Your public key is at C:\Users\<you>\.ssh\id_ed25519.pub.
Step 2: Upload Your SSH Public Key to Authentik¶
- Sign in to https://auth.synderys.com/if/user/#/settings
- Scroll down to the SSH Public Key field
-
Copy the contents of your public key file and paste it into the field:
cat ~/.ssh/id_ed25519.pubGet-Content $env:USERPROFILE\.ssh\id_ed25519.pub -
Click Update to save
Your key will be synced to the jumpbox automatically within 5 minutes.
One key per person
Upload only one public key. If you need to change your key (new computer, key rotation), update the field in Authentik — the old key will be removed automatically on the next sync.
Step 3: Configure SSH on Your Computer¶
Add the following to your SSH config file (~/.ssh/config on macOS/Linux, C:\Users\<you>\.ssh\config on Windows):
# Synderys Jumpbox — gateway to internal servers
Host synderys-jumpbox
HostName 192.168.0.1
User jumpbox
# If using the SOCKS proxy setup:
# ProxyCommand nc -x 127.0.0.1:1081 %h %p
ForwardAgent yes
IdentityFile ~/.ssh/id_ed25519
# Example: GitLab via jumpbox
Host synderys-gitlab
HostName 192.168.0.16
User seed
ProxyJump synderys-jumpbox
IdentityFile ~/.ssh/id_ed25519
ProxyCommand vs direct
If you're using the Tailscale app directly (not the SOCKS proxy setup), the jumpbox is reachable at 192.168.0.1 through the VPN with no ProxyCommand needed. If you're using the dual-Tailscale SOCKS proxy setup, uncomment the ProxyCommand line.
Step 4: Connect¶
Option A: ProxyJump (Recommended)¶
ProxyJump is the cleanest way to reach internal servers. Your SSH key stays on your computer and is forwarded securely through the jumpbox — the jumpbox never sees your private key.
ssh synderys-gitlab
Or without the config entry:
ssh -J jumpbox@192.168.0.1 seed@192.168.0.16
This connects you directly to GitLab, bouncing through the jumpbox transparently. You'll see the GitLab server's shell, not the jumpbox shell.
Option B: Interactive Jumpbox¶
Connect to the jumpbox directly to see your allowed destinations and manually SSH from there:
ssh synderys-jumpbox
You'll see:
Synderys Jumpbox
Group: synderys-engineering
Allowed destinations:
192.168.0.16 (GitLab)
Usage: ssh [user@]<ip> Connect to a host
exit Disconnect
jumpbox>
From the jumpbox> prompt, type:
ssh seed@192.168.0.16
SSH Agent Forwarding Required
When using the interactive jumpbox, you need SSH agent forwarding so the jumpbox can use your key to authenticate to the target server. This is handled by ForwardAgent yes in the SSH config above. If you connect without agent forwarding, you'll get Permission denied (publickey) on the target server.
Type exit to return to the jumpbox prompt, and exit again to disconnect.
Option C: One-line command execution¶
Run a command on an internal server without an interactive session:
ssh -J jumpbox@192.168.0.1 seed@192.168.0.16 "hostname && uptime"
What You Can Access¶
Your access depends on your group membership. Your administrator will tell you which group you're in.
| Group | Available Servers |
|---|---|
| synderys-ops | All infrastructure servers |
| synderys-engineering | GitLab (192.168.0.16) |
| synderys-management | Grafana (192.168.0.21) |
If you try to reach a server outside your group's allowed list, the jumpbox will deny the connection.
Verifying SSH Agent Forwarding¶
If you get Permission denied when connecting through the jumpbox, verify your SSH agent is running and has your key loaded:
# Check if agent is running and has keys
ssh-add -l
If you see "The agent has no identities", add your key:
ssh-add ~/.ssh/id_ed25519
On macOS, you can add the key to your Keychain so it persists across reboots:
ssh-add --apple-use-keychain ~/.ssh/id_ed25519
Troubleshooting¶
Q: I get "Permission denied (publickey)" when connecting to the jumpbox.
: Your SSH key hasn't synced yet. Verify you uploaded your public key in Authentik settings (Step 2), you're in the jumpbox-users group, and wait up to 5 minutes for the sync. If it still doesn't work, contact IT.
Q: I can connect to the jumpbox but not to the target server.
: Make sure SSH agent forwarding is enabled (ForwardAgent yes in config or -A flag). Also check that your key is loaded in the agent (ssh-add -l). If using ProxyJump, agent forwarding is handled automatically.
Q: The jumpbox says my destination is not allowed. : You're trying to reach a server outside your group's access scope. Contact your administrator if you need access to additional servers.
Q: I get "host key verification failed" for the jumpbox.
: Run ssh-keygen -R 192.168.0.1 to clear the old key, then reconnect and accept the new one.
Q: I'm connected to the VPN but the jumpbox is unreachable.
: Verify your VPN is connected (tailscale status). The jumpbox is at 192.168.0.1 — try ping 192.168.0.1. If it doesn't respond, see VPN Troubleshooting.
Q: How do I change my SSH key? : Go to Authentik settings, paste your new public key into the SSH Public Key field, and click Update. The new key will replace the old one within 5 minutes.