If you use openssh (> 7.3, if I recall) it has a ProxyJump feature that assures there will not be any MITM capability. (Even earlier versions can achieve the same thing, but ProxyJump makes it just so convenient!)
ssh -J me@P me@T
Done.
Here's the snippet from man ssh
:
-J destination
Connect to the target host by first making a ssh connection to the
jump host described by destination and then establishing a TCP
forwarding to the ultimate destination from there.
Your client first connects to the jump host, and tells the jump host to establish a 2-way pipe between your client and port 22 of the target. Then your client uses that 2-way pipe to establish an ssh connection with the target. The jump host is doing nothing but ferrying bits -- any "attack" is limited to a denial of service at worst, nothing more.
Before ssh added "proxyjump", you'd do this like this (the -f
below is from memory; I can't remember if it was -f
or -N
):
ssh -f -L 2222:target:22 me@jumphost
ssh -p 2222 me@127.0.0.1
But proxyjump makes it much easier.