show when *not* to use a jump host (8773d85b) · Commits · The Tor Project / TPA / Wiki Replica

doc/ssh-jump-host.md

+20 −0

Original line number	Diff line number	Diff line
		@@ -74,6 +74,26 @@ specify a `git@` user in your git remotes, but it's a good practice
		nevertheless to catch those scenarios where that might have been
		forgotten.

		# When not to use the jump host

		If you're going to do a lot of batch operations on all hosts (for
		example with [Cumin](howto/cumin)), you definitely want to add yourself to the
		[adding yourself to the allow list](howto/puppet#adding-an-ip-address-to-the-global-allow-list) so that you can skip using
		the jump host.

		For this, anarcat uses a special `trusted-network` command that fails
		unless the network is on that allow list. Therefore, the above jump
		host exception list becomes:

		# use jump host if the network is not in the trusted whitelist
		Match host *.torproject.org, !host ssh.torproject.org, !host ssh-dal.torproject.org, !host ssh-fsn.torproject.org, !host people.torproject.org, !host gitlab.torproject.org, !exec trusted-network
		ProxyJump anarcat@ssh-dal.torproject.org

		The [`trusted-network` command](https://gitlab.com/anarcat/scripts/-/blob/3f3f024b9b2cbd0a32687727be7b26c8594ef933/trusted-network) checks for the default gateway on
		the local machine and checks if it matches an allow list. It could
		also just poke at the internet to see "what is my IP address", like
		<https://check.torproject.org/>...

		# Sample configuration

		Here is a redacted copy of anarcat's `~/.ssh/config` file: