Basic SSH Proxying

If you connect to your machines via an intermediary, then you will need to include a Proxy host in your SSH configuration.


In all cases - whether SSH is invoked programmatically or otherwise - Bcome will defer to your local ssh-agent for your SSH keys.

Make sure that your ssh-agent is running and that all keys in play have been added.

Example configuration

The networks.yml configuration below defines two inventories: one containing a proxy server, and the other containing servers that may only be connected to via the proxy.

  type: collection
  description: WBZ gcp estate
    type: gcp
    project: wbznet
    zone: europe-west1-b
    :authentication_scheme: service_account
    service_account_credentials: service-account.json

  type: inventory
  description: ssh proxies
  override_identifier: "prod_net_(.+)"
    filters: status:running AND labels.function=bastion AND labels.environment=prod-net

  type: inventory
  description: Servers
    filters: status:running AND labels.environment=prod-net AND NOT labels.function=bastion
  override_identifier: "prod_net_(.+)"
      - host_lookup: by_bcome_namespace
        namespace: proxies:bastion

The ‘proxies’ inventory contains a single server named ‘bastion’ that the ‘servers’ inventory machines are configured above to use as their proxy.

My local user is guillaume, and I have ssh keys added to my agent.

The AsciiCast below demonstrates my configuration:


To replay this Asciicast in your own terminal, install the asciinema package from, and then enter the following in your terminal:

asciinema play

See the Bcome documentation for more detailed & alternative proxy configuration options: SSH Proxy Attributes Configuration.