SFTP and ProxyJump - not reaching remote server when using ProxyJump

What is the problem you are having with rclone?

I am trying to connect to a remote SFTP server through an SSH Proxy using ProxyJump. I have configured the ProxyJump (using ~/.ssh/config) and have confirmed I can connect to the remote SFTP server through the SSH proxy. However, when I attempt to connect to the remote server using rclone, whilst it looks like rclone has connected to the remote server, in reality it has connected to the SSH proxy instead! When I perform an rclone ls command, the directory listing is not what I expect and is listing the folders on the SSH proxy, not remote server.

On my system, I have configured the following things:

Host proxy.server
  HostName  proxy.server
  User proxyuser@proxy.server
  IdentityFile ~/.ssh/id_seis
  StrictHostKeyChecking no
	
Host ftp.remote-sftp.com
  User remote_user
  ProxyJump proxyuser@proxy.server
  StrictHostKeyChecking no 

With the configuration above, I can confirm I am able to SSH with the proxy to ftp.remote-sftp.com because this server is not publicly accessible.

But with rclone, it does not seem to use the proxy in the same way.

Run the command 'rclone version' and share the full output of the command.

rclone v1.71.2

• os/version: redhat 8.10 (64 bit)
• os/kernel: 5.15.167.4-microsoft-standard-WSL2 (x86_64)
• os/type: linux
• os/arch: amd64
• go/version: go1.25.3
• go/linking: static
• go/tags: none
  2025/10/27 17:03:40 DEBUG : rclone: Version "v1.71.2" finishing with parameters ["rclone" "version"]

Which cloud storage system are you using? SFTP

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone -vv --sftp-ssh "ssh proxyuser@proxy.server" ls remote_sftp_server:

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

[remote_sftp_server]
type = sftp
host = XXX
user = XXX
port = 22
shell_type = unix
md5sum_command = none
sha1sum_command = none

A log from the command that you were trying to run with the -vv flag

[root@b16e0ab4caf2 workdir]# rclone -vv --sftp-ssh "ssh proxyuser@proxy.server" ls remote_sftp_server:
2025/10/27 16:49:31 DEBUG : Setting --retries "1" from environment variable RCLONE_RETRIES="1"
2025/10/27 16:49:31 DEBUG : Setting --low-level-retries "1" from environment variable RCLONE_LOW_LEVEL_RETRIES="1"
2025/10/27 16:49:31 DEBUG : Setting --verbose "2" from environment variable RCLONE_VERBOSE="2"
2025/10/27 16:49:31 DEBUG : Setting --config "/config/rclone_preprod.conf" from environment variable RCLONE_CONFIG="/config/rclone_preprod.conf"
2025/10/27 16:49:31 DEBUG : rclone: Version "v1.71.2" starting with parameters ["rclone" "-vv" "--sftp-ssh" "ssh proxyuser@proxy.server" "ls" "remote_sftp_server:"]
2025/10/27 16:49:31 DEBUG : Creating backend with remote "remote_sftp_server:"
2025/10/27 16:49:31 DEBUG : Using config file from "/config/rclone_preprod.conf"
2025/10/27 16:49:31 DEBUG : Setting pass="AtiCD3B-nl_GG-XXX" for "remote_sftp_server" from environment variable RCLONE_CONFIG_REMOTE_SFTP_SERVER_PASS
2025/10/27 16:49:31 DEBUG : remote_sftp_server: detected overridden config - adding "{NkDoC}" suffix to name
2025/10/27 16:49:31 DEBUG : Setting pass="AtiCD3B-nl_GG-XXX" for "remote_sftp_server" from environment variable RCLONE_CONFIG_REMOTE_SFTP_SERVER_PASS
2025/10/27 16:49:31 NOTICE: remote_sftp_server{NkDoC}: --sftp-ssh is in use - ignoring user/host/port from config - set in the parameters to --sftp-ssh (remove them from the config to silence this warning)
2025/10/27 16:49:31 DEBUG : sftp://remote_user@ftp.remote-sftp.com:22/: ssh external: creating additional session
2025/10/27 16:49:31 DEBUG : sftp://remote_user@ftp.remote-sftp.com:22/: ssh external: running: ssh proxyuser@proxy.server -s sftp
2025/10/27 16:49:33 DEBUG : sftp://remote_user@ftp.remote-sftp.com:22/: Shell type "unix" from config
2025/10/27 16:49:33 DEBUG : sftp://remote_user@ftp.remote-sftp.com:22/: Relative path resolved to "/home/proxyuser"
2025/10/27 16:49:33 DEBUG : sftp://remote_user@ftp.remote-sftp.com:22/: Using root directory "/home/proxyuser"
2025/10/27 16:49:33 DEBUG : fs cache: renaming cache item "remote_sftp_server:" to be canonical "remote_sftp_server{NkDoC}:"
      333 .bash_history
       18 .bash_logout
      193 .bash_profile
      231 .bashrc
      334 .emacs
      172 .kshrc
      658 .zshrc
      276 .ssh/authorized_keys
      276 .ssh/id_seis.pub
2025/10/27 16:49:33 DEBUG : 6 go routines active
2025/10/27 16:49:33 DEBUG : sftp://remote_user@ftp.remote-sftp.com:22/: Closing 1 unused connections

An aside - you can configure an HTTP connect proxy server or a SOCKS proxy with these flags and use the native SSH implementation.

  --sftp-http-proxy string    URL for HTTP CONNECT proxy
  --sftp-socks-proxy string   Socks 5 proxy host

Remember that rclone is running your ssh command directly as you've written it. So if you ran ssh proxyuser@proxy.server then I think it would indeed connect to the proxy, but if you used ssh ftp.remote-sftp.com then it would connect to ftp.remote-sftp.com via the proxy (assuming my understanding of ProxyJump is correct).

So, get it working with ssh first then use exactly that ssh command as the argument of --sftp-ssh

I hope that helps

Hi Nick

Thanks for looking into this issue for me.

Oh okay, I understand using ProxyJump with rclone a little bit better now.

Using your suggestion, rclone does seems to be reaching to the remote server as intended.

I have a couple of questions/observations. If we have to enter the command as:

rclone --sftp-ssh "ssh ftp.remote-sftp.com" ls remote_sftp_server:

1. I have noticed rclone still needs the remote remote_sftp_server: to execute properly. I thought the command line switch overrides the remote?

2. The remote server uses password authentication and assumed the specifying the remote would use the remote configuration to log me in. Rclone did not log me in automatically and a password prompt was given for the remote server.

3. If the remote configuration cannot supply password, can the switch --sftp-ssh allow SSHPass to be used? I did try but failed to get that working!

Many thanks