So, if you use SSH tunneling to forward a port from localhost to a remote, then Docker unwittingly pushes to a remote. This is super useful "off the grid" with robotics/embedded applications where you don't want to bother with a registry and a good Internet connection.
Example, docker pussh: https://github.com/psviderski/unregistry
```/etc/docker/daemon.json
{
"insecure-registries": ["10.100.0.0/24", "registry.yourmom.example.com:5000"]
}
[1] https://docs.docker.com/reference/cli/dockerd/#insecure-regi...
i set it up a few years ago for my homelab
"~C" will drop you into the SSH command line, allowing you to, among other things, effect port forwarding
-L8080:localhost:443
But for some reason this has been disabled by default in more recent ssh configurations... to ensure its available
-o EnableEscapeCommandline=yes
EnableEscapeCommandline yes
Also EnableEscapeCommandline fortunately only affects `~C` - the all-important `~.` to kill a hung SSH session still works with it disabled.
Goes over similar content as TFA, in perhaps a little more depth. Indispensable sysadmin knowledge.
ssh -J user1@bastion1,user2@bastion2 targetuser@targethost
It is also nice that it works recursively, so I can logically structure my rules so that the one for my regular targets say to use bastion1, then the rule for bastion1 says to go via bastion 2, etc.
I find this easier to reason about and maintain rather than juggling a bunch of these multi-step rules.
Support was added to OpenSSH about a decade ago? Even on a low moving Linux distro like Debian/LTS everyone should have support by now.
Are you using SSH key auth or password authenticating three times when you do this?
The final target is a pre-elliptic curve OpenSSH server, so legacy is enabled. I could probably have removed that for clarity.
C:\Users\me\>ssh -J me@bhost1,me@bhost2 -o KexAlgorithms=diffie-hellman-group14-sha1 -o HostKeyAlgorithms=ssh-rsa -o MACs=hmac-sha1 oracle@target
Enter passphrase for key 'C:\Users\me/.ssh/id_ed25519':
me@host1's password:
Enter passphrase for key 'C:\Users\me/.ssh/id_ed25519':
me@host2's password:
oracle@target's password:
Last login: Wed Jun 24 13:29:55 2026 from bhost2
The socks proxy support can also deal with bad web filtering and privacy issues on public wifi networks (though nowadays if you're ssh'ing to a cloud IP, you'll get lots of "bot" restrictions).
It's amazing how lightweight this method actually is. I have managed to connect hundreds of devices using a single EC2 nano instance.
Some pages have a nice up-front synopsis of flags, others put them in a wall of text. Browsing the former can supplant Google, /\b-x while paging is helpful for the latter.
Why is that?
Can’t I just open up a harness and prompt “Teach me how to do X?”