ProxyJump (Bastion Hosts)

Note

This is a Pro feature. To check your license status or activate your Pro license, press L in the Connection List interface.

In modern server architectures, target servers are often located in private internal networks and cannot be directly accessed via the public internet. In such cases, you need to route your connection through a secure Bastion Host exposed to the public internet using ProxyJump.

Configure ProxyJump

PhanTerm natively supports configuring jump hosts, establishing an end-to-end secure connection directly over underlying TCP tunnels without relying on external commands.

When editing a connection form, you can fill in the following jump host information:

• Jump Host: The IP address or domain name of the bastion host.
• Jump Port: The SSH port of the bastion host (usually 22).
• Jump User: The username to log into the bastion host.
• Jump Auth Type: The authentication method for the bastion host (supports password or key).

How It Works & Security Guarantees

1. PhanTerm first establishes an SSH handshake and authenticates with the jump host.
2. It then opens a direct tunnel (direct-tcpip) through the jump host to the target server’s internal IP and port.
3. Within this internal network tunnel, PhanTerm initiates a second, independent SSH encrypted handshake with the target server.

This mechanism ensures the connection to the target server is protected by end-to-end encryption the entire time. The jump host can only see encrypted traffic; it cannot eavesdrop on the commands you execute on the target server, nor can it steal your passwords or terminal output.

Tip

The Host Key fingerprint of the target host is also verified completely independently from the jump host. You benefit from the exact same level of protection against host identity spoofing.