# order in this file matters - ssh will use the hostname supplied on
# the command-line and will match that against the globbed names below.
# If ssh-client encounters a 'hostname foo' command, it will re-run the
# matching sequence and collect config items using that new host name
# until it has done gone through the file three times (iirc) or it runs
# out of config ... you can inspect this proces by using ssh -v
#
# in order to not prompt for credentials and to allow connection
# re-use, this config will maintain control sockets within the ./run
# directory which are created after authentication and can be used to
# create new connections - they must be secured appropriately!
#
# successful use of this config depends on the globs being evaluated in
# the following order:
#
#  * leaf hostname* configs
#  * jumphost *-via-hostname* configs
#  * user identity *-as-username* configs
#  * key management *-with-keyname configs
#  * general settings that apply to all connections
#
# for example, some commands to show the usage of the config
#
#   ssh jumphost-as-joeb
#   ssh clienthost-via-jumphost-as-jbloggs-with-jbloggs
#   ssh dmzhost-via-clienthost-as-admin-with-jbloggs
#
# scp can also be used in the same way:
#
#   scp dmzhost-via-clienthost-as-admin-with-jbloggs:/tmp/somefile .
#
# the above would be enough to prompt for all the intermediate
# credentials, set up the netcat tunnels, fetch the file and then tear
# that all down again
#
# note that only host-via-host pairs are supported: if you need a
# longer chain like gamma-via-beta-via-alpha, define alpha*, beta*
# and gamma* first with their local details and then *-via-alpha* and
# *-via-beta* with how to get to them from their closest hop as below

# the initial jumphost in our network
host jumphost*
  hostname jumphost.domain

# a host on the inside of the client network that jumphost can see
host clienthost*
  hostname clienthost   # resolved from the PoV of jumphost (in this case), not our workstation
  forwardagent yes	# allow keys to be forwarded from this point

# the console for this host - more specific items need to come first
host dmzhost-console*
  hostname cyclades-dmz
  port 2012

# a host in the DMZ that only clienthost can connect to
host dmzhost*
  hostname dmzhost      # resolved from the PoV of clienthost, not our workstation

# how to connect to hosts beyond jumphost
host *-via-jumphost*
  proxycommand ssh jumphost-as-jbloggs /usr/local/bin/nc -v %h %p

# how to connect to hosts beyond clienthost
host *-via-clienthost*
  proxycommand ssh clienthost-via-jumphost-as-joeb /opt/netcat-0.7.1/bin/netcat -v %h %p

# how to manage through-connections
host *-via-*
  controlmaster yes
  controlpath run/master-%h:%p  # post-auth socket store - treat with care
  controlpersist no

# identity relevant to dmz host
host *-as-admin*
  user admin

# identity relevant to the client
host *-as-jbloggs*
  user jbloggs

# identity relevant to our local end
host *-as-joeb*
  user joeb

# key management
host *-with-jbloggs
  identityfile ~/.ssh/id_jbloggs

# general settings
host *
  forwardagent no
  serveraliveinterval 90
  tcpkeepalive yes
  identitiesonly yes
  hashknownhosts yes