Multi-level SSH proxying and selective host key trust

config

ServerAliveInterval 60

# bastions are permanent or semi-permanent
# connections should be minimized
# host key changes should not be accepted (pre-populate known_hosts with them)
Host *-bastion
  ControlMaster auto
  ControlPath   /Users/your.username/.ssh/tmp/%h_%p_%r
  StrictHostKeyChecking yes

# private systems are ephemeral
# DNSSEC is not used for their keys
# don't check or store private system host keys
# NOTE: not a security recommendation, just a convenience in a highly dynamic environment with ephemeral systems
Host 10.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.* 192.168.*
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null

Host * !github.com
  User work_username
  IdentityFile ~/.ssh/[email protected]_2018-07-26

Host github.com *.example.local
  IdentityFile ~/.ssh/[email protected]_2018-07-26

Host dev-bastion
  Hostname dev-bastion.example.com

Host stg-bastion
  Hostname stg-bastion.example.com

Host prod-bastion
  Hostname prod-bastion.example.com

Host enclave-bastion
  ProxyCommand ssh -W %h:%p prod-bastion
  Hostname enclave-bastion.prod.example.local

Host 10.0.*
  ProxyCommand ssh -W %h:%p dev-bastion

Host 10.1.*
  ProxyCommand ssh -W %h:%p stg-bastion

Host 10.2.*
  ProxyCommand ssh -W %h:%p prod-bastion

Host 10.3.*
  ProxyCommand ssh -W %h:%p enclave-bastion