Changes
Page history
expand on the jumphost docs
authored
Mar 30, 2021
by
anarcat
Hide whitespace changes
Inline
Side-by-side
doc/ssh-jump-host.md
View page @
cc18676b
...
@@ -3,24 +3,35 @@ title: learning how to do an ssh jump host on tpo
...
@@ -3,24 +3,35 @@ title: learning how to do an ssh jump host on tpo
---
---
You need to use an ssh jump host to access internal machines at tpo.
You need to use an ssh jump host to access internal machines at tpo.
If you have a recent enough ssh (>= 2016 or so), then you can use the ProxyJump directive. Else, use ProxyCommand.
If you have a recent enough ssh (>= 2016 or so), then you can use the
`
ProxyJump
`
directive. Else, use
`
ProxyCommand
`
.
ProxyCommand automatically executes the ssh command on the host to jump to the next host and forward all traffic through.
`
ProxyCommand
`
automatically executes the ssh command on the host to jump to the next host and forward all traffic through.
If your local username is different from your tpo username, also set it in your .ssh/config.
With recent ssh versions:
Ex: To perform a ssh jump host and access staticiforme.tpo you might add the following to your ~/.ssh/config
Host *.torproject.org !people.torproject.org
ProxyJump people.torproject.org
With recent ssh versions:
Or with old ssh versions (before OpenSSH 7.3, or Debian 10 "buster"):
Host *.torproject.org !people.torproject.org
ProxyCommand ssh -l %r -W %h:%p people.torproject.org
If your local username is different from your TPO username, also set
it in your
`.ssh/config`
:
Host *.torproject.org
Host *.torproject.org
User <username>
User USERNAME
Host staticiforme.torproject.org
ProxyJump perdulce.torproject.org
Or with old ssh versions:
It is also worth keeping the
`known_hosts`
file in sync to avoid
server authentication warnings. The server's public keys are also
available in DNS. So add this to your
`.ssh/config`
:
Host *.torproject.org
Host *.torproject.org
User <username>
UserKnownHostsFile ~/.ssh/known_hosts.torproject.org
Host staticiforme.torproject.org
VerifyHostKeyDNS ask
ProxyCommand ssh -l %r -W %h:%p perdulce.torproject.org
And keep the
`~/.ssh/known_hosts.torproject.org`
file up to date by
regularly pulling it from a TPO host, so that new hosts are
automatically added, for example:
rsync -ctvLP perdulce.torproject.org:/etc/ssh/ssh_known_hosts ~/.ssh/known_hosts.torproject.org
