|
|
| (5 intermediate revisions by 4 users not shown) |
| Line 1: |
Line 1: |
| {{header|infra}} | | {{header|infra}} |
| {{shortcut|ISOP:SSHACCESS}} | | {{shortcut|ISOP:SSHACCESS}} |
| | This SOP has moved to the fedora Infrastructure SOP git repo. Please see the current document at: https://infrastructure.fedoraproject.org/infra/docs/docs/sysadmin-guide/sops/sshaccess.rst |
|
| |
|
| == Contact Information ==
| | For changes, questions or comments, please contact anyone in the Fedora Infrastructure team. |
|
| |
|
| Owner: sysadmin-main
| |
|
| |
| Contact: #fedora-admin or admin@fedoraproject.org
| |
|
| |
| Location: All fedora machines
| |
|
| |
| Servers: All fedora machines
| |
|
| |
| Purpose: Access via ssh to Fedora project machines.
| |
|
| |
| === Introduction ===
| |
|
| |
| This page will contain some useful instructions about how you can safely login into Fedora internal machines successfully using a PubAuthKey authentication. As of 2011-05-27, all machines require a SSH key to access. Password authentication will no longer work. Note that this SOP has nothing
| |
| to do with actually gaining access to specific machines. For that you MUST be in the correct group for shell access to that machine. This SOP
| |
| simply describes the process once you do have valid and appropriate shell access to a machine.
| |
|
| |
| === Single host example ===
| |
|
| |
| '''First of all: (on your local machine)'''
| |
|
| |
| <pre>
| |
| cd /home/user/.ssh
| |
| touch config && nano config
| |
| </pre>
| |
|
| |
| '''Note:''' You'll need to create an entry for every internal machine you plan to log in to, or create wildcard entries.
| |
|
| |
| '''Note2:''' This example is valid only if you are trying to login into puppet01 to commit your changes to Infrastructure's Puppet tree. (see Note1)
| |
|
| |
| '''then,''' edit it as it follows:
| |
|
| |
| <pre>
| |
| Host puppet01 puppet1 puppet01.fedoraproject.org
| |
| Hostname %h (or if it doesn't resolve, go ahead to the troubleshooting section)
| |
| User FASUID (you don't need this if your local UID and your FAS one correspond)
| |
| ProxyCommand ssh -q FASUID@bastion.fedoraproject.org /usr/bin/nc %h 22
| |
| </pre>
| |
|
| |
| === WildCard setup example ===
| |
|
| |
| You can also setup wildcards so you don't have to enter a entry as above for each host.
| |
|
| |
| <pre>
| |
| Host allyourlocalmachines bastion.fedoraproject.org
| |
| (add here any host you ssh to that is NOT a Fedora machine as well as bastion)
| |
| ProxyCommand none
| |
|
| |
| Host *
| |
| Hostname %h
| |
| ProxyCommand ssh -q %u@bastion.fedoraproject.org /usr/bin/nc %h 22
| |
| </pre>
| |
|
| |
| This will match the first entry for those specific hosts you wish to go to directly, and pass all the rest via bastion.
| |
| You may need to set:
| |
|
| |
| <pre>
| |
| export LOCALDOMAIN="fedoraproject.org vpn.fedoraproject.org phx2.fedoraproject.org"
| |
| </pre>
| |
|
| |
| In order to do simple 'ssh puppet01' type commands.
| |
|
| |
| === SSH Agent forwarding ===
| |
|
| |
| You should normally have:
| |
|
| |
| <pre>
| |
| ForwardAgent no
| |
| </pre>
| |
|
| |
| For Fedora hosts. You can override this on a session basis by using '-A' with ssh. SSH agents could be misused if you connect to a compromised
| |
| host with forwarding on (the attacker can use your agent to authenticate them to anything you have access to as long as you are logged in).
| |
| Additionally, if you do need ssh agent forwarding (say for copying files between machines), you should remember to logout as soon as you are
| |
| done to not leave your agent exposed.
| |
|
| |
| === Troubleshooting: ===
| |
|
| |
| * 'nc: getaddrinfo: Name or service not known', replace '''Hostname %h''' with '''Hostname 10.5.126.23''' (this is puppet's IP, so it will be different by machine to machine)
| |
| * if your local UID is different from the one registered in FAS, please remember to set up a '''User''' variable (like above) where you specify your FAS UID. If that's missing SSH will try to login by using your local UID, thus it will fail.
| |
| * If you can't resolve a hostname like 'puppet01' you may need the LOCALDOMAIN export above.
| |
| * ssh -vv is very handy for debugging what sections are matching and what are not.
| |
| * If you get access denied several times in a row, please consult with #fedora-admin. If you try too many times with an invalid config your IP could be added to denyhosts.
| |
|
| |
|
| [[Category:Infrastructure SOPs]] | | [[Category:Infrastructure SOPs]] |
