Changes

anarcat · 9027e5fd
--- a/doc/ssh-jump-host.md
+++ b/doc/ssh-jump-host.md
@@ -74,3 +74,64 @@ specify a `git@` user in your git remotes, but it's a good practice
 nevertheless to catch those scenarios where that might have been
 forgotten.

+# Sample configuration
+
+Here is a redacted copy of anarcat's `~/.ssh/config` file:
+
+```
+Host *
+     # disable known_hosts hashing. it provides little security and
+     # raises the maintenance cost significantly because the file
+     # becomes inscrutable
+     HashKnownHosts no
+     # this defaults to yes in Debian
+     GSSAPIAuthentication no
+     # set a path for the multiplexing stuff, but do not enable it by
+     # default. this is so we can more easily control the socket later,
+     # for processes that *do* use it, for example git-annex uses this.
+     ControlPath ~/.ssh/control-%h-%p-%r
+     ControlMaster no
+     # ~C was disabled in newer OpenSSH to facilitate sandboxing, bypass
+     EnableEscapeCommandline yes
+
+# taken from https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/ssh
+Host *-tor *.onion
+    # this is with netcat-openbsd
+    ProxyCommand nc -x 127.0.0.1:9050 -X 5 %h %p
+    # if anonymity is important (as opposed to just restrictions bypass), you also want this:
+    # VerifyHostKeyDNS no
+
+# interact as a normal user with certain symbolic names for services (e.g. gitlab for push, people, irc bouncer, etc)
+Host db.torproject.org git.torproject.org git-rw.torproject.org gitlab.torproject.org ircbouncer.torproject.org people.torproject.org puppet.torproject.org ssh.torproject.org ssh-dal.torproject.org ssh-fsn.torproject.org
+  User anarcat
+
+# forward puppetdb for cumin by default
+Host puppetdb-01.torproject.org
+  LocalForward 8080 127.0.0.1:8080
+
+Host minio*.torproject.org
+  LocalForward 9090 127.0.0.1:9090
+
+Host prometheus2.torproject.org
+  # Prometheus
+  LocalForward 9090 localhost:9090
+  # Prometheus Pushgateway
+  LocalForward 9091 localhost:9091
+  # Prometheus Alertmanager
+  LocalForward 9093 localhost:9093
+  # Node exporter is 9100, but likely running locally
+  # Prometheus blackbox exporter
+  LocalForward 9115 localhost:9115
+
+Host dal-rescue-02.torproject.org
+  Port 4622
+
+Host *.torproject.org
+  UserKnownHostsFile ~/.ssh/known_hosts.d/torproject.org
+  VerifyHostKeyDNS ask
+  User root
+
+# use jump host if the network is not in the trusted whitelist
+Match host *.torproject.org, !host ssh.torproject.org, !host ssh-dal.torproject.org, !host ssh-fsn.torproject.org, !host people.torproject.org, !host gitlab.torproject.org, !exec trusted-network
+  ProxyJump anarcat@ssh-dal.torproject.org
+```