I'm starting from [a suggestion to use jvisualVM via SOCKS][1]. However, I have a somewhat complex topology.

Starting from my laptop, I have two intermediate hosts to get through to reach the machine I wish to observe. 

LaptopAtHome -> HostAtWork -> AWS-Bastion -> ThingToObserve

I can use ssh-add to handle the keys needed to make those hops. I am not supposed to leave any SSH private keys on the AWS-Bastion. How do I set all this up so that:

    ssh -v -D 9696 thingtobserve.example.com

opens the wormhole from my laptop to the other end?

Also note that I need to use a different private key for the first hop than for the second and third. I have both keys loaded on the starting host with ssh-add.

Some research led me to try:

    #!/bin/sh

    noknown="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"

    ssh -A -t -t -v -L9999:localhost:9932 first ssh -A $noknown -t ec2-user@bastion ssh -A $noknown -t -D 9932 ec2-user@target

this fails with 'permission denied'. 

If I ssh to the first host, and manually launch the ssh agent and load up my keys, I can then manually ssh the whole way.

I am also a bit perplexed about why the -D is all the way at the end of the chain, but perhaps I'm not thinking clearly about that part yet.

  [1]: https://theholyjava.wordpress.com/2012/09/21/visualvm-monitoring-remote-jvm-over-ssh-jmx-or-not/