-J
is an alternative to (some class of) -o ProxyCommand=
, (usually) not an addendum. You use it as straightforwardly as:
ssh -ND 4321 -J HostA HostB
This is how -J
works:
-J destination
Connect to the target host by first making a ssh connection to the jump host described by destination
and then establishing a TCP forwarding to the ultimate destination from there. Multiple jump hops may be specified separated by comma characters. […]
Note ssh -J HostA HostB
is not equivalent to connecting from local to HostA and then from HostA to HostB. It's equivalent to connecting from local to HostA and then from local to HostB (using packets forwarded through HostA).
If you specified more jump hosts (e.g. -J HostA,HostX,HostY,…
) then a connection to each extra host would be established via a tunnel connecting your local machine and the previous host. The connection to the ultimate destination would use a tunnel ending at the last jump host. All connections would start at your local system.
So it's not like a daisy chain. It's like nested tubes (tunnels), where each tube of smaller and smaller diameter uses the previous (slightly larger) tube and connects your local system to a point further and further away.
Wrong picture, daisy chain:
local ###> HostA ===> HostX +++> HostY ---> destination
Right picture, nested tubes:
###> HostA
==============> HostX
+++++++++++++++++++++++++> HostY
------------------------------------>
local destination
------------------------------------>
+++++++++++++++++++++++++>
==============>
###>
This means if you want to use private keys with ssh -J
then only keys available to your local ssh
will matter. No SSH client will be invoked on any jump host; your private keys (if any) stored on jump host(s) will be irrelevant.