Respond to PR feedback

docs/pages/architecture/tls-routing.mdx

@@ -85,7 +85,7 @@ which can be used as a `ProxyCommand`.
 Similarly to `tsh ssh`, `tsh proxy ssh` establishes a TLS tunnel to Teleport
 proxy with `teleport-ssh-proxy` ALPN protocol, which `ssh` then connects over.
 
-See [OpenSSH client](../server-access/guides/openssh.mdx) guide for details on
+See the [OpenSSH client](../server-access/guides/openssh.mdx) guide for details on
 how it's configured.
 
 ## Reverse tunnels

docs/pages/server-access/guides/openssh.mdx

@@ -31,8 +31,12 @@ We've outlined these reasons in [OpenSSH vs Teleport SSH for Servers?](https://g
 
 ## Step 1/4. Configure `sshd` to trust the Teleport CA
 
-`sshd` must be told to allow users to log in with certificates generated by the
-Teleport Auth Service. Start by exporting the Teleport CA public key.
+Later in this guide, we will generate an SSH client configuration that will use
+a certificate signed by the Teleport Auth Service to authenticate to your SSH
+server. For this to work, `sshd` must be told to allow users to log in with
+certificates generated by the Teleport Auth Service.
+
+Start by exporting the Teleport CA public key.
 
 On your local machine, print the Teleport certificate authority certificate to
 stdout:
@@ -68,7 +72,11 @@ Now, `sshd` will trust users who present a Teleport-issued certificate.
 
 ## Step 2/4. Configure host authentication
 
-Next, ask Teleport to issue a valid host certificate for your `sshd` host. 
+Next, ask Teleport to issue a valid host certificate for your `sshd` host. Later
+in this guide, we will configure your SSH client to trust the certificate,
+authenticating your `sshd` host for your SSH client. Like the user certificate
+we created earlier, the host certificate will be signed by the Teleport Auth
+Service.
 
 ### Ensure that your user has the correct privileges
 
@@ -208,7 +216,10 @@ Restart `sshd`.
 ## Step 3/4. Generate an SSH client configuration
 
 The next step is to configure your OpenSSH client to connect to your `sshd` host
-using credentials managed by Teleport.
+using credentials managed by Teleport. This configuration will use the SSH agent
+and your user's Teleport-issued certificate to authenticate to the `sshd` host.
+It will also authenticate the `sshd` host using the host certificate you
+generated earlier.
 
 First, make sure you are running OpenSSH's `ssh-agent` and have logged
 in to your Teleport cluster:
@@ -303,6 +314,18 @@ establishes an SSH connection to the Proxy Service. This command,
 through the Proxy Service to your chosen host (including a host in a Trusted
 Cluster).
 
+The `tsh proxy ssh` command requests the `proxy` subsystem through a command
+similar to the following, which assumes you are logging in to a Node called
+`mynode` as `root` with a cluster called `teleport.example.com`:
+
+```code
+$ /usr/bin/ssh -l root -A -o UserKnownHostsFile=/root/.tsh/known_hosts -p 11105 teleport.example.com -s proxy:mynode:3022@teleport.example.com
+```
+
+Notice that the `known_hosts` file used by the command is managed by `tsh`.
+Since the `sshd` host's information is listed in this file, your SSH client can
+authenticate the host via the certificate we generated earlier.
+
 </Details>
 
 <Details title="Using PowerShell on Windows?" opened={false}>
@@ -371,7 +394,7 @@ $ ssh -p ${PORT?} -F ssh_config_teleport "${USER?}@${ADDR?}.${CLUSTER?}"
 ```
 
 This will connect to the node `node1` on your Teleport cluster. This name does
-not need to be DNS accessible as the connection will be routed through your
+not need to be resolvable via DNS as the connection will be routed through your
 Teleport Proxy Service.
 
 <Details title="Why are we overriding the port here?">