Digest | SSH跳转服务器, 原子笔记法:Zettelkasten, 思维导图学习

>  2021年05月24日信息消化

### 如何设置一个SSH跳转服务器

原文：[How to Set Up an SSH Jump Server](https://goteleport.com/blog/ssh-jump-server/)

##### What is an SSH Jump Server?

SSH跳转服务器是一个普通的Linux服务器，可以从互联网上访问，它被用作一个网关，使用SSH协议访问私有网络上的其他Linux机器。有时SSH跳转服务器也被称为 "跳转主机 "或["堡垒主机"]（https://goteleport.com/blog/ssh-bastion-host/）。SSH跳转服务器的目的是成为访问你的基础设施的唯一网关，以减少任何潜在攻击面的大小。有一个专门的SSH访问点也使所有SSH连接的审计日志更容易汇总。

An SSH jump server is a regular Linux server, accessible from the Internet, which is used as a gateway to access other Linux machines on a private network using the SSH protocol. Sometimes an SSH jump server is also called a “jump host” or a [“bastion host”](https://goteleport.com/blog/ssh-bastion-host/). The purpose of an SSH jump server is to be the only gateway for access to your infrastructure reducing the size of any potential attack surface. Having a dedicated SSH access point also makes it easier to have an aggregated audit log of all SSH connections.

为什么不叫它SSH *代理？部分是由于历史原因。在SSH的早期，用户必须通过SSH进入一个跳转主机，在那里，他们必须再次输入`ssh`来 "跳转 "到一个目标主机。今天，这已经通过 "ProxyJump "选项自动完成。

Why not call it an SSH *proxy*? Partly due to historical reasons. In the earlier days of SSH, users had to SSH into a jump host and from there, they had to type `ssh` again to “jump” to a destination host. Today, this is done automatically using the `ProxyJump` option.

##### How to Set Up an SSH Jump Server

A good security practice is to have a dedicated SSH jump server, i.e. not host any other publicly accessible software on it. Additionally, it is bad practice to allow users to log into a jump server directly. There are a few reasons why:

- Inadvertently updating the jump server configuration.
- Using the jump server machine for other tasks.
- Making copies of keys used to access destination servers.

It is also a good idea to change the default TCP port on the SSH jump server from 22 to something else.

Let’s go over configuring an SSH jump server using two open-source projects. We’ll start with OpenSSH as it’s the most common.

But first, let’s make a few naming assumptions for the examples used below:

- The example organization domain is `example.com`
- The DNS name of the jump server is going to be `proxy.example.com`

We’ll also assume that `proxy.example.com` is the only machine accessible from the Internet.

##### OpenSSH

这个SSH服务器默认与大多数Linux发行版捆绑在一起，几乎100%你已经安装了它。如果服务器可以通过proxy.example.com访问，那么你可以通过-J命令行标志访问同一NAT边界后面的其他服务器，也就是在客户端。

This SSH server comes bundled by default with most Linux distributions and there’s nearly 100% chance you already have it installed. If the server is accessible via `proxy.example.com` then you can access other servers behind the same NAT boundary via `-J` command line flag, i.e. on the client:

```bash
$ ssh -J proxy.example.com 10.2.2.1
```

To avoid typing `-J proxy.example.com` all the time, you can update your client’s [SSH configuration](https://goteleport.com/blog/ssh-config/) in `~/.ssh/config` with the following:

```
Host 10.2.2.*
    ProxyJump proxy.example.com
```

接下来，我们需要通过禁止普通用户在跳转服务器上的交互式SSH会话来加强服务器的配置，但为管理员保留它。要做到这一点，请更新sshd配置，通常在/etc/ssh/sshd_config中，内容如下。

Next, we need to harden the server configuration a bit by disabling interactive SSH sessions on the jump server for regular users, but leaving it turned on for the administrators. To do this, update the sshd configuration, usually in /etc/ssh/sshd_config with the following:

```bash
# Do not let SSH clients do anything except be forwarded to the destination:
PermitTTY no
X11Forwarding no
PermitTunnel no
GatewayPorts no
ForceCommand /sbin/nologin
```

上面的例子适用于Debian及其衍生版本，我们建议验证`/sbin/nologin`的存在。

The example above will work for Debian and its derivatives, we advise to verify the existence of `/sbin/nologin`.

只要跳跃服务器有所有SSH用户的账户，这个方法就能起作用，这是不方便的。相反，考虑在跳跃服务器上创建一个单独的用户账户，专门用于 "跳跃用户"。让我们称它为`jumpuser`并更新配置。

This will work for as long as the jump server has accounts for all SSH users, which is inconvenient. Instead, consider creating a separate user account on the jump server dedicated to “jumping users”. Let’s call it `jumpuser` and update the configuration:

```bash
Match User jumpuser
  PermitTTY no
  X11Forwarding no
  PermitTunnel no
  GatewayPorts no
  ForceCommand /usr/sbin/nologin
```

And the users will have to update their client SSH configuration with:

```
Host 10.2.2.*
    ProxyJump jumpuser@proxy.example.com
```

For more information on how to fine-tune SSH jump configuration to your particular situation, consult `man ssh_config` and `man sshd_config`.

Needless to say, the setup above works only when the public [SSH keys](https://goteleport.com/blog/comparing-ssh-keys/) are properly distributed not only between clients and the jump server, but also between the clients and the destination servers.

### 卢曼卡片盒笔记法介绍 Zettelkasten Method

原文: [Introduction to the Zettelkasten Method](https://zettelkasten.de/introduction/)

Zh: https://zettelkasten.de/introduction/zh/

你为什么要读这篇介绍？有可能是你有解决知识工作之谜的迫切需求，对你的硕士论文感到不知所措，试图提高你的博客水平，想写一本书，因为它很酷，试图作为顾问上位，在研究方面表现出色，或者类似的事情。但是Zettelkasten方法不仅仅是一个完成某些工作或项目的工具。它是一种关于如何处理你生活中的知识的整体方法。

Why are you reading this introduction? The chances are that you either have an immediate need to solve the riddle of knowledge work, feel overwhelmed by your master’s thesis, try to level up your blog, want to write a book because it’s cool, try to get on top as a consultant, excel at research, or something like that. But the Zettelkasten Method is more than just a tool to finish some work or project. It is a holistic method on how to deal with knowledge in your life.

Zettelkasten方法是你在知识工作领域的努力的一个放大器。它非常有效，许多人说他们有更多的乐趣，有人甚至把它比作《魔兽世界》等游戏的成瘾性，而且总体上做知识工作更容易。但这只是投入高水平的持续努力的结果。

The Zettelkasten Method is an amplifier of your endeavors in the realm of knowledge work. It is highly effective, and many people report they have more fun, one even comparing it to the addictive nature of games like World of Warcraft, and have an easier time doing knowledge work overall. But this only comes as a result of putting in a high level of consistent effort.

这就像游泳。如果你不会游泳，你根本就不会有任何乐趣。如果你所做的只是漂浮（甚至下沉）和对抗水，那么游泳就很糟糕。但是，如果你掌握了技术，在水中滑行，那就不可思议了。但你学习游泳的目的不是为了轻松和有趣。你学习游泳的目的是要做到快速和优雅。

It is like swimming. If you can’t swim, you won’t be having any fun at all. Swimming sucks if all you do is float (or even sink) and fight the water. But boy, if you figure out the technique and glide through the water, it is incredible. But you don’t learn swimming by aiming for ease and fun. You learn to swim by aiming to be fast and graceful

Zettelkasten方法需要一些练习。首先，你会有一种感觉，你没有做任何有用的事情。但只要有一点练习和耐心，你就会给自己带来惊喜，产生知识的宝石。

The Zettelkasten Method needs some practice. First, you will have the feeling that you don’t do anything useful. But with a little bit of practice and patience, you will surprise yourself and produce gems of knowledge.

这个介绍是为了指导你迈向卓越的第一步。沿着这条路走下去，你的Zettelkasten将为你提供工具，让你在知识探险中茁壮成长。

如果要我向不熟悉Zettelkasten概念的人解释，我会这样描述它。

This introduction is meant to guide your first steps towards excellence. Follow this path and your Zettelkasten will provide you with the tools to thrive on intellectual adventures.

If I had to explain to someone unfamiliar with the concept of Zettelkasten, I’d describe it like this:

> Zettelkasten是一种用于思考和写作的个人工具。它具有超文本的功能，使思想的网络成为可能。与其他系统不同的是，你创建的是一个思想的网络，而不是任意大小和形式的笔记，**强调的是连接，而不是收集**。
>
> A Zettelkasten is a personal tool for thinking and writing. It has hypertextual features to make a web of thought possible. The difference to other systems is that you create a web of thoughts instead of notes of arbitrary size and form, and **emphasize connection, not a collection.**

##### Luhmann’s Zettelkasten

卢曼的 Zettelkasten 是一本有特殊意义的纸条笔记集：它是一种超文本，他可以用合理的时间和精力来浏览包含所有纸条的抽屉柜。"合理 "是指对卢曼来说是合理的，他痴迷于他的社会理论，是一个工作狂和热情的官僚主义者。一个超文本需要是可浏览的。在维基百科上，你只需要点击一个链接就可以进入维基百科的超文本中的下一篇文章。如果超文本是基于纸质的，就需要付出更多的努力来跟踪一个链接。另一个问题是，你需要一个骑行的起点。所以卢曼创造了他的Zettelkasten，使他的笔记集可以冲浪。他需要切入点和一种机制，以一种富有成效的方式从一个笔记冲浪到另一个。

Luhmann’s Zettelkasten is a collection of notes on paper slips with a special twist: It is a *hypertext* that he could navigate the drawer cabinet containing all the paper slips with a *reasonable* amount of time and energy. “Reasonable” means that it was reasonable for Luhmann, who, obsessed with his theory of society, was a workaholic and an enthusiastic bureaucrat. A hypertext needs to be surfable. On Wikipedia, you just need to click a link to get to the next article within Wikipedia’s hypertext. It requires more effort to follow a link if the hypertext is paper-based. The other problem is that you need a starting point for your ride. So Luhmann created his Zettelkasten to make his note collection surfable. He needed entry points and a mechanism to surf from one note to another in a productive way.

##### The Fixed Address of Each Note

如果你想参考一个单独的票据，它需要有一个固定和独特的地址，你可以通过它来识别该票据。这是使实际查找成为可能的必要条件。在我们的数字时代，我们很少想到这个问题，除非我们是软件开发者。我们习惯于在网上进行搜索，在几分之一秒的时间内，我们的搜索就会呈现出结果。然而，当你处理一堆纸质笔记时，你需要让它有可能并且可以忍受，以获得任何东西。卢曼的方法是一个聪明的编号系统。

If you want to refer to an individual note, it needs to have a fixed and unique address by which you can identify the note. It is necessary to make the actual lookup possible. In our digital age, we rarely think of this problem unless we are software developers. We are used to performing a search on the web, and in a fraction of a second, our search presents us with the results. When you deal with a bunch of paper notes, however, you need to make it possible and bearable to get anywhere at all. Luhmann’s approach was a clever numbering system.

![img](https://raw.githubusercontent.com/Phalacrocorax/memo-image-host/master/uPic/2020-08-13_folgezettel-sequence.png)

Luhmann’s numbering system allowed to make sequences and intersperse notes between adjacent notes through adding another character to the end

第一个音符的编号是1。如果你添加了一个与第一个音符无关的第二个音符，它就被分配为2号。但是，如果你想继续第一个音符，或在其内容中注入一些东西，对其进行评论，或类似的东西，你就会分支。这个新的音符将被分配到1a号。如果你继续这个新笔记，你会继续写1b。如果你想对笔记1a进行评论，你将创建一个地址为1a1的笔记。所以，简而言之，每当你继续一个思路时，你就递增地址中的最后一个位置，不管是数字还是字母表中的一个字符。而当你想扩展、穿插或评论一个笔记时，你就用它的地址并附加一个新的字符。要做到这一点，你要交替使用数字和字符。

The very first note is assigned the number 1. If you add a second note that is not related to the first note, it is assigned the number 2. But if you want to continue the first note, or inject something into its content, comment on it, or something along those lines, you branch off. That new note would get assigned the number 1a. If you continue with this new note, you would go on with 1b. If you then want to comment on the note 1a, you would create a note with the address 1a1. So, in short, whenever you continue a train of thought, you increment the last position in the address, be it number or a character from the alphabet. And when you want to expand, intersperse, or comment on a note, you take its address and append a new character. For this to work, you alternate numbers and characters.(3)

单个笔记或者说 Zettel 是什么样的呢？每条笔记由三部分组成：

1. **唯一标识符**：它为你的笔记提供一个明确的地址；
2. **笔记的正文**：这是你记录的笔记内容，一般为一段简短的原子化的信息；
3. **参考文献**：如果你的内容来源于外部，你可以在每条笔记的底部写上信息来源，如果你记录的是你自己的想法，则留空。

What does an individual note, a *Zettel*, look like? There are three components that each Zettel has:

1. **A unique identifier**. This gives your Zettel an unambiguous address.
2. **The body of the Zettel**. This is where you write down what you want to capture: The piece of knowledge.
3. **References**. At the bottom of each Zettel, you either reference the source of the knowledge you capture or leave it blank if you capture your own thoughts.

##### 笔记卡片的主体内容

笔记卡片的主体包含任何你想记录的知识，它可以是一个论点，一个概念，一个例子，或者任何类似的东西。

**需要注意的是，你要用自己的话来写这部分内容**。你可以完全摘抄一段别人的观点，但是要让卡片盒笔记系统为你工作，其中一个核心规则就是用你自己的话，而不是复制粘贴一些你认为有用或者有见地的东西。这样会迫使你创造创造一个属于你自己版本的知识，有助加深你对学习材料的理解，加强你对所写内容的记忆。只有当笔记的内容是你自己的，你的卡片盒笔记系统才将真正属于你。

在我们的论坛上，Nick 问我会选择什么样的内容输入到卡片盒笔记系统。虽然你可以在笔记里写任何东西，但是我建议**输入知识而非信息**(Knowledge instead of information)。

实际上，很容易区分知识和信息。信息大多数时候可以用一句话概括，而且大多数时候信息是“死”的。

因此，作为一条经验法则，你应该对信息进行处理并从中有所收获。你应该在笔记中添加一定的上下文内容，并与其他笔记建立连接，以便让信息转化为知识。即便你没有直接使用你创造的知识，只要你用笔记之间的连接丰富了你正在处理的信息，你就走在了正确的道路上。你不需要像 [@grayen](https://forum.zettelkasten.de/discussion/comment/5925/#Comment_5925)一样担心：

> 我有时会想研究一下是什么让网页中的内容值得我记笔记，我不知道是否该把它写进我的笔记卡片里，我不想为了记笔记而记笔记。我不知道这些东西对我来说是短时间内有用，还是长期有用。我有时不想仅仅为了处理我的某个想法或解决某个疑问就写一张笔记卡片 。我不想把我的 卡片盒笔记系统变成一份繁忙的工作，繁忙必定带来拖延。

在实践中，你需要在广泛地做笔记和专注于你当前的项目之间做出妥协。你无法只是随便记下感兴趣的东西，并期望有所收获。你应该把你手头上正在进行的项目作为主线来指导你的工作，同时允许自己稍微偏离一点这条主线，偏离程度取决于你当前项目的截止日期。

##### 其他例子

- 如果你正在写毕业论文，时间紧迫，那么你应该尽量少的偏离主线，并专注于论文相关的材料
- 如果你是位退休的机械工程师，在一个自由而美好的周末，打算用 卡片盒笔记系统来写一本小说，那么你想怎么偏离就怎么偏离，恣意地享受人生吧。
- 如果你是一名护士，想出版一本关于如何处理系统的小书。不要为了专注于工作而压力太大，你已经为别人付出很多，你应该享受写作的过程，满足你的好奇心，即使这拖慢你的进度。
- 如果你有雄心勃勃的A型人格，那么你可以尽可能地偏离主线。你的个性会确保你任何时候能很快地回到跟你项目相关的材料上来。

##### 一个完整的卡片笔记

![img](https://raw.githubusercontent.com/Phalacrocorax/memo-image-host/master/uPic/complete-zettel.png)

如果你只添加链接而不做任何解释，那么你将[无法创造知识](https://zettelkasten.de/posts/understanding-hierarchy-translating-folgezettel/)。未来的的你可能根本不知道为什么要沿着链接去浏览笔记。试想一下，你创造了一张由各种想法组成的思想之网，但是你却无法确定沿着某个链接是否可以把你引向有意义的东西，那么在笔记间冲浪时肯定会给你一种失望的感觉。未来的你甚至会吐槽过去的自己不靠谱。

总之，建立连接却不指明原因的习惯是无法生产知识的。而且这种习惯会让你的工作变得随意和浅薄，降低你作为知识型工作者的生产力。

##### 结构化笔记(Structure Note)

**结构化笔记是元笔记(Meta-Note)：它是一个关于其他笔记及其联系的笔记**。卢曼的枢纽笔记作为快速通道，可在笔记网络中导航。结构化笔记的作用也是如此。比如，上图是一个关于卡片盒笔记法的结构化笔记。它类似于一个目录(table of contents)，专门列出了所有有关这个主题的笔记。每当我写一个关于卡片盒笔记法的新笔记时，我都会将它的 ID 添加到这个结构化笔记上。

![img](https://zettelkasten.de/introduction/20201027155152_models-overview.png)

### An Unusual But Effective Approach to Becoming (A Lot) More Skilled

原文：[An Unusual But Effective Approach to Becoming (A Lot) More Skilled](https://medium.com/skilluped/an-unusual-but-effective-approach-to-becoming-a-lot-more-skilled-96829f392f6b)

![img](https://raw.githubusercontent.com/Phalacrocorax/memo-image-host/master/uPic/1*htMk-fvaMLdMGrHs3KBZkQ.png)

如果我告诉你，你可以通过学习触摸式打字成为一个更好的钢琴家，你会相信我吗？大多数人都会同意，但有些人会乐于对此进行辩论。
那这样呢：如果我告诉你，你可以通过学习法语更容易地学习西班牙语，你会相信我吗？嗯，你最好相信我，因为这是真的。这里有一张图表，向你展示了浪漫主义语言之间的相似性。

if I told you that you could become a better pianist by learning touch typing, would you believe me? Most people would agree, but some would be happy to debate that.
And how about this: if I told you that you could learn Spanish more easily by learning French, would you believe me? Well, you better believe me because it’s true. Here’s a chart showing you similarities between romance languages:

![img](https://raw.githubusercontent.com/Phalacrocorax/memo-image-host/master/uPic/1*j0i6Dh2QzIwFEqm1lyXHng.png)

很有说服力，对吗？看这个图表，你可以看到，先学加泰罗尼亚语是学习其他浪漫主义语言的最终骗局。

我经常吹嘘（是的，让我们称之为吹嘘）在过去三年里学到了90项新技能。实际上，最令人印象深刻的部分并不是我学到的技能，而是我建立的子技能库。

Pretty convincing, right? Looking at this chart, you can see that learning Catalan first is the ultimate cheat for learning other romance languages.

I often brag (yeah, let’s call it bragging) about having learned 90 new skills in the past three years. In reality, the most impressive part of this isn’t the skills that I’ve learned but the library of sub-skills that I’ve built.

![img](https://raw.githubusercontent.com/Phalacrocorax/memo-image-host/master/uPic/1*25GI-TwT12EueXHUOIda6A.png)

##### Concepts, facts, procedures 概念、事实、程序

For every link you find in your research, you want to look for concepts, facts, and procedures.

对于你在研究中发现的每个环节，你要寻找概念、事实和程序。

- Concepts: Things you need to know
- Facts: Things you need to remember/memorize
- Procedures: Things you need to do/practice

##### Conclusion

大多数人的目标是学习更广泛的技能，而没有考虑到他们的子技能是什么。当你意识到子技能并专注于建立一个子技能库时，你就更有能力确定你对该技能的熟练程度，并知道下一步要学习什么。

Most people aim to learn broader skills without thinking about what their sub-skills are. When you are aware of the sub-skills and focus building a library of those, you are more equipped to identify your proficiency in the skill and know what to learn next.