| ... | ... | @@ -3,24 +3,35 @@ title: learning how to do an ssh jump host on tpo |
|
|
|
---
|
|
|
|
|
|
|
|
You need to use an ssh jump host to access internal machines at tpo.
|
|
|
|
If you have a recent enough ssh (>= 2016 or so), then you can use the ProxyJump directive. Else, use ProxyCommand.
|
|
|
|
ProxyCommand automatically executes the ssh command on the host to jump to the next host and forward all traffic through.
|
|
|
|
If you have a recent enough ssh (>= 2016 or so), then you can use the `ProxyJump` directive. Else, use `ProxyCommand`.
|
|
|
|
`ProxyCommand` automatically executes the ssh command on the host to jump to the next host and forward all traffic through.
|
|
|
|
|
|
|
|
If your local username is different from your tpo username, also set it in your .ssh/config.
|
|
|
|
With recent ssh versions:
|
|
|
|
|
|
|
|
Ex: To perform a ssh jump host and access staticiforme.tpo you might add the following to your ~/.ssh/config
|
|
|
|
Host *.torproject.org !people.torproject.org
|
|
|
|
ProxyJump people.torproject.org
|
|
|
|
|
|
|
|
With recent ssh versions:
|
|
|
|
Or with old ssh versions (before OpenSSH 7.3, or Debian 10 "buster"):
|
|
|
|
|
|
|
|
Host *.torproject.org !people.torproject.org
|
|
|
|
ProxyCommand ssh -l %r -W %h:%p people.torproject.org
|
|
|
|
|
|
|
|
If your local username is different from your TPO username, also set
|
|
|
|
it in your `.ssh/config`:
|
|
|
|
|
|
|
|
Host *.torproject.org
|
|
|
|
User <username>
|
|
|
|
Host staticiforme.torproject.org
|
|
|
|
ProxyJump perdulce.torproject.org
|
|
|
|
User USERNAME
|
|
|
|
|
|
|
|
Or with old ssh versions:
|
|
|
|
It is also worth keeping the `known_hosts` file in sync to avoid
|
|
|
|
server authentication warnings. The server's public keys are also
|
|
|
|
available in DNS. So add this to your `.ssh/config`:
|
|
|
|
|
|
|
|
Host *.torproject.org
|
|
|
|
User <username>
|
|
|
|
Host staticiforme.torproject.org
|
|
|
|
ProxyCommand ssh -l %r -W %h:%p perdulce.torproject.org
|
|
|
|
UserKnownHostsFile ~/.ssh/known_hosts.torproject.org
|
|
|
|
VerifyHostKeyDNS ask
|
|
|
|
|
|
|
|
And keep the `~/.ssh/known_hosts.torproject.org` file up to date by
|
|
|
|
regularly pulling it from a TPO host, so that new hosts are
|
|
|
|
automatically added, for example:
|
|
|
|
|
|
|
|
rsync -ctvLP perdulce.torproject.org:/etc/ssh/ssh_known_hosts ~/.ssh/known_hosts.torproject.org |
