doc/ssh-jump-host.md

@@ -33,12 +33,32 @@ field on the [machines database](https://db.torproject.org/machines.cgi).
 
 This naming convention was announced in [TPA-RFC-59](policy/tpa-rfc-59-ssh-jump-host-aliases).
 
+# Host authentication
+
+It is also worth keeping the `known_hosts` file in sync to avoid
+server authentication warnings. The server's public keys are also
+available in DNS. So add this to your `.ssh/config`:
+
+    Host *.torproject.org
+      UserKnownHostsFile ~/.ssh/known_hosts.torproject.org
+      VerifyHostKeyDNS ask
+
+And keep the `~/.ssh/known_hosts.torproject.org` file up to date by
+regularly pulling it from a TPO host, so that new hosts are
+automatically added, for example:
+
+    rsync -ctvLP ssh.torproject.org:/etc/ssh/ssh_known_hosts ~/.ssh/known_hosts.torproject.org
+
+# Different usernames
+
 If your local username is different from your TPO username, also set
 it in your `.ssh/config`:
 
     Host *.torproject.org
       User USERNAME
 
+# Root access
+
 Members of TPA might have a different configuration to login as root
 by default, but keep their normal user for key services:
 
@@ -54,16 +74,3 @@ specify a `git@` user in your git remotes, but it's a good practice
 nevertheless to catch those scenarios where that might have been
 forgotten.
 
-It is also worth keeping the `known_hosts` file in sync to avoid
-server authentication warnings. The server's public keys are also
-available in DNS. So add this to your `.ssh/config`:
-
-    Host *.torproject.org
-      UserKnownHostsFile ~/.ssh/known_hosts.torproject.org
-      VerifyHostKeyDNS ask
-
-And keep the `~/.ssh/known_hosts.torproject.org` file up to date by
-regularly pulling it from a TPO host, so that new hosts are
-automatically added, for example:
-
-    rsync -ctvLP ssh.torproject.org:/etc/ssh/ssh_known_hosts ~/.ssh/known_hosts.torproject.org