| ... | ... | @@ -74,6 +74,26 @@ specify a `git@` user in your git remotes, but it's a good practice |
|
|
|
nevertheless to catch those scenarios where that might have been
|
|
|
|
forgotten.
|
|
|
|
|
|
|
|
# When not to use the jump host
|
|
|
|
|
|
|
|
If you're going to do a *lot* of batch operations on all hosts (for
|
|
|
|
example with [Cumin](howto/cumin)), you definitely want to add yourself to the
|
|
|
|
[adding yourself to the allow list](howto/puppet#adding-an-ip-address-to-the-global-allow-list) so that you can *skip* using
|
|
|
|
the jump host.
|
|
|
|
|
|
|
|
For this, anarcat uses a special `trusted-network` command that fails
|
|
|
|
unless the network is on that allow list. Therefore, the above jump
|
|
|
|
host exception list becomes:
|
|
|
|
|
|
|
|
# use jump host if the network is not in the trusted whitelist
|
|
|
|
Match host *.torproject.org, !host ssh.torproject.org, !host ssh-dal.torproject.org, !host ssh-fsn.torproject.org, !host people.torproject.org, !host gitlab.torproject.org, !exec trusted-network
|
|
|
|
ProxyJump anarcat@ssh-dal.torproject.org
|
|
|
|
|
|
|
|
The [`trusted-network` command](https://gitlab.com/anarcat/scripts/-/blob/3f3f024b9b2cbd0a32687727be7b26c8594ef933/trusted-network) checks for the default gateway on
|
|
|
|
the local machine and checks if it matches an allow list. It could
|
|
|
|
also just poke at the internet to see "what is my IP address", like
|
|
|
|
<https://check.torproject.org/>...
|
|
|
|
|
|
|
|
# Sample configuration
|
|
|
|
|
|
|
|
Here is a redacted copy of anarcat's `~/.ssh/config` file:
|
| ... | ... | |
