diff --git a/admin-guide/configuration.md b/admin-guide/configuration.md
index a5100b4d..9f4546ef 100644
--- a/admin-guide/configuration.md
+++ b/admin-guide/configuration.md
@@ -7,4 +7,5 @@ Here starts a so far small collections of configuration guides for sysadmins of
 - [Custom Nameservers](configuration/custom_nameservers)
 
 ## Special Installations
+- [SSH Host Hopping as Root (e.g. between cluster members)](configuration/ssh_host_hopping)
 - [Install Citrix VDA](configuration/citrix_vda)
diff --git a/admin-guide/configuration/ssh_host_hopping.md b/admin-guide/configuration/ssh_host_hopping.md
new file mode 100644
index 00000000..79960cb3
--- /dev/null
+++ b/admin-guide/configuration/ssh_host_hopping.md
@@ -0,0 +1,25 @@
+# SSH Host Hopping as Root (e.g. between cluster members)
+
+This is to allow the user `root` on a given machine to log in as `root` onto another machine without using a password or a similar authentication.
+
+
+The `ssh_server::root_host_trust` list in Hiera configures from which devices root is allowed to connect without special configuration:
+```
+ssh_server::root_host_trust:
+  - 'lxdev04.psi.ch'
+  - 'lxdev05.psi.ch'
+```
+From security perspective this nodes should have the same or stricter security rules/setup that the target host.
+
+To actually use host trust the client also needs to configure that while connecting, e.g. in Hiera:
+
+```
+ssh_client::try_host_trust: true
+```
+
+or spontaneously on the ssh command line with:
+```
+ssh -o HostbasedAuthentication=yes ...
+```
+or by setting `HostbasedAuthentication yes` in the appropriate place in the ssh configuration (e.g. `~/.ssh/config`).
+