| ... | ... | @@ -74,3 +74,64 @@ specify a `git@` user in your git remotes, but it's a good practice |
|
|
|
nevertheless to catch those scenarios where that might have been
|
|
|
|
forgotten.
|
|
|
|
|
|
|
|
# Sample configuration
|
|
|
|
|
|
|
|
Here is a redacted copy of anarcat's `~/.ssh/config` file:
|
|
|
|
|
|
|
|
```
|
|
|
|
Host *
|
|
|
|
# disable known_hosts hashing. it provides little security and
|
|
|
|
# raises the maintenance cost significantly because the file
|
|
|
|
# becomes inscrutable
|
|
|
|
HashKnownHosts no
|
|
|
|
# this defaults to yes in Debian
|
|
|
|
GSSAPIAuthentication no
|
|
|
|
# set a path for the multiplexing stuff, but do not enable it by
|
|
|
|
# default. this is so we can more easily control the socket later,
|
|
|
|
# for processes that *do* use it, for example git-annex uses this.
|
|
|
|
ControlPath ~/.ssh/control-%h-%p-%r
|
|
|
|
ControlMaster no
|
|
|
|
# ~C was disabled in newer OpenSSH to facilitate sandboxing, bypass
|
|
|
|
EnableEscapeCommandline yes
|
|
|
|
|
|
|
|
# taken from https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/ssh
|
|
|
|
Host *-tor *.onion
|
|
|
|
# this is with netcat-openbsd
|
|
|
|
ProxyCommand nc -x 127.0.0.1:9050 -X 5 %h %p
|
|
|
|
# if anonymity is important (as opposed to just restrictions bypass), you also want this:
|
|
|
|
# VerifyHostKeyDNS no
|
|
|
|
|
|
|
|
# interact as a normal user with certain symbolic names for services (e.g. gitlab for push, people, irc bouncer, etc)
|
|
|
|
Host db.torproject.org git.torproject.org git-rw.torproject.org gitlab.torproject.org ircbouncer.torproject.org people.torproject.org puppet.torproject.org ssh.torproject.org ssh-dal.torproject.org ssh-fsn.torproject.org
|
|
|
|
User anarcat
|
|
|
|
|
|
|
|
# forward puppetdb for cumin by default
|
|
|
|
Host puppetdb-01.torproject.org
|
|
|
|
LocalForward 8080 127.0.0.1:8080
|
|
|
|
|
|
|
|
Host minio*.torproject.org
|
|
|
|
LocalForward 9090 127.0.0.1:9090
|
|
|
|
|
|
|
|
Host prometheus2.torproject.org
|
|
|
|
# Prometheus
|
|
|
|
LocalForward 9090 localhost:9090
|
|
|
|
# Prometheus Pushgateway
|
|
|
|
LocalForward 9091 localhost:9091
|
|
|
|
# Prometheus Alertmanager
|
|
|
|
LocalForward 9093 localhost:9093
|
|
|
|
# Node exporter is 9100, but likely running locally
|
|
|
|
# Prometheus blackbox exporter
|
|
|
|
LocalForward 9115 localhost:9115
|
|
|
|
|
|
|
|
Host dal-rescue-02.torproject.org
|
|
|
|
Port 4622
|
|
|
|
|
|
|
|
Host *.torproject.org
|
|
|
|
UserKnownHostsFile ~/.ssh/known_hosts.d/torproject.org
|
|
|
|
VerifyHostKeyDNS ask
|
|
|
|
User root
|
|
|
|
|
|
|
|
# use jump host if the network is not in the trusted whitelist
|
|
|
|
Match host *.torproject.org, !host ssh.torproject.org, !host ssh-dal.torproject.org, !host ssh-fsn.torproject.org, !host people.torproject.org, !host gitlab.torproject.org, !exec trusted-network
|
|
|
|
ProxyJump anarcat@ssh-dal.torproject.org
|
|
|
|
``` |
