From 9ac0b6283f089c96aeb9adb0347e660209cd0ccb Mon Sep 17 00:00:00 2001
From: Pino de Candia <32303022+pinodeca@users.noreply.github.com>
Date: Tue, 10 Oct 2017 16:31:38 -0500
Subject: [PATCH] Added details about securing the bastion itself.

---
 README.rst | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/README.rst b/README.rst
index 746098e..9d69c6a 100644
--- a/README.rst
+++ b/README.rst
@@ -93,6 +93,14 @@ For example:
 
   | ssh -o ProxyCommand="ssh -W %h:%p 10.99.157.129" ubuntu@10.0.0.13
 
+Or (for OpenSSH 7.3 and later):
+
+  | ssh -o ProxyJump="10.99.157.129" ubuntu@10.0.0.13
+
+Note that one of the user SSH certificate's principals must be mapped to an account on the bastion (or the bastion will reject the SSH connection). Tatu configures the bastion (e.g. on Ubuntu 16.04) AuthorizedPrincipalFile with a single file named 'nobody' which contains the names of all principals. This allows the SSH client to use the bastion as a jump host but not to login there; this secures the bastion itself. The ssh command is therefore:
+
+  | ssh -o ProxyJump="nobody@10.99.157.129" ubuntu@10.0.0.13
+
 Future Work
 -----------