SSH ignores ProxyJump directive


I recently migrated from Satellite 6.7 to Foreman 3.5 and have two problems that appear related, so I am combining them into a single thread.

A few of my hosts are hidden behind a bastion host. To reach them, I created a file /var/lib/foreman-proxy/ssh/config

Match user svc-satellite
  IdentityFile /var/lib/foreman-proxy/ssh/id_rsa_foreman_proxy

  User svc-satellite

Host *

Permissions for this file are

-rw-------. 1 foreman-proxy foreman-proxy  629 Feb 19 16:31 config

(I also tried putting the same stanza into the global /etc/ssh/ssh_config.d/10_our_config.conf file; the result was the same)

This works, as confirmed with the following command succeeds as user foreman-proxy:

$ ssh -i ~/.ssh/id_rsa_foreman_proxy
Last login: Sun Feb 19 16:35:56 2023 from
[svc-satellite@cn01 ~]$

However, an SSH command job fails

   1: Error initializing command: RuntimeError - Could not establish connection to remote host using any available authentication method, tried publickey
   2: Exit status: EXCEPTION
   3: StandardError: Job execution failed

This used to work in Satellite 6.7.

Second related problem: Trying to run a “Run ansible roles” job also fails. Unlike the previous issue, this also failed in Satellite 6.7 . Also note that the error here is “could not resolve hostname” rather than an authentication failure issue.

The error in this case is:

fatal: []: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: ssh: Could not resolve hostname Name or service not known", "unreachable": true}

Expected outcome:

Foreman Proxy should honor the ProxyJump directive and other directives in its config directory.

Foreman and Proxy versions:

Version 3.5.1

Foreman and Proxy plugin versions:


Distribution and version:

AlmaLinux 8.7 (Stone Smilodon)

Other relevant data:

At some point, I got the suggestion to use a separate Foreman Proxy server to serve the subnet behind the bastion host. This is not an option in our case.

Correction: I upgraded from Satellite 6.11, not 6.7.