|
|
(3 intermediate revisions by 3 users not shown) |
Line 1: |
Line 1: |
| {{header|infra}} | | {{header|infra}} |
| {{shortcut|ISOP:SSHACCESS}} | | {{shortcut|ISOP:SSHACCESS}} |
| | This SOP has moved to the fedora Infrastructure SOP git repo. Please see the current document at: https://infrastructure.fedoraproject.org/infra/docs/docs/sysadmin-guide/sops/sshaccess.rst |
|
| |
|
| == Contact Information ==
| | For changes, questions or comments, please contact anyone in the Fedora Infrastructure team. |
|
| |
|
| Owner: sysadmin-main
| |
|
| |
| Contact: #fedora-admin or admin@fedoraproject.org
| |
|
| |
| Location: PHX2
| |
|
| |
| Servers: All PHX2 and VPN Fedora machines
| |
|
| |
| Purpose: Access via ssh to Fedora project machines.
| |
|
| |
| === Introduction ===
| |
|
| |
| This page will contain some useful instructions about how you can safely
| |
| login into Fedora PHX2 machines successfully using a public key
| |
| authentication. As of 2011-05-27, all machines require a SSH key to
| |
| access. Password authentication will no longer work. Note that this SOP
| |
| has nothing to do with actually gaining access to specific machines. For
| |
| that you MUST be in the correct group for shell access to that machine.
| |
| This SOP simply describes the process once you do have valid and
| |
| appropriate shell access to a machine.
| |
|
| |
| === SSH configuration ===
| |
|
| |
| '''First of all: (on your local machine)'''
| |
|
| |
| <pre>
| |
| nano ~/.ssh/config
| |
| </pre>
| |
|
| |
| '''then,''' add the following:
| |
|
| |
| <pre>
| |
| Host *.phx2.fedoraproject.org *.fedoraproject.org fedorahosted.org *.fedorahosted.org fedorapeople.org
| |
| User FAS_USERNAME
| |
|
| |
| # Add other machines to this line as desired.
| |
| Host *.phx2.fedoraproject.org 10.5.125.* 10.5.126.* 10.5.127.* *.vpn.fedoraproject.org
| |
| ProxyCommand ssh -W %h:%p bastion.fedoraproject.org
| |
| </pre>
| |
|
| |
| One slight annoyance with this method is that you must include the
| |
| .phx2.fedoraproject.org part when you SSH to Fedora machines in order
| |
| for the connection to be tunneled through bastion. If this is an issue,
| |
| here are two possible ways to avoid it:
| |
|
| |
| 1. You can add aliases for each of the Fedora machines you login to by
| |
| modifying the Host line:
| |
| <pre>
| |
| Host *.phx2.fedoraproject.org 10.5.125.* 10.5.126.* 10.5.127.* *.vpn.fedoraproject.org puppet01 noc01 # list all hosts here
| |
| </pre>
| |
| 2. You can proxy everything through bastion by default and exclude hosts
| |
| that you connect to directly:
| |
| <pre>
| |
| # List all host you SSH to that are NOT Fedora machines
| |
| # make sure to include bastion here as well!
| |
| Host allyourlocalmachines bastion.fedoraproject.org
| |
| ProxyCommand none
| |
|
| |
| Host *
| |
| ProxyCommand ssh -W %h:%p bastion.fedoraproject.org
| |
| </pre>
| |
| Keep in mind that if bastion ever goes down and you need to access
| |
| things, you'll want to comment this section out.
| |
|
| |
| === SSH Agent forwarding ===
| |
|
| |
| You should normally have:
| |
|
| |
| <pre>
| |
| ForwardAgent no
| |
| </pre>
| |
|
| |
| For Fedora hosts (this is the default in OpenSSH). You can override this
| |
| on a per-session basis by using '-A' with ssh. SSH agents could be
| |
| misused if you connect to a compromised host with forwarding on (the
| |
| attacker can use your agent to authenticate them to anything you have
| |
| access to as long as you are logged in). Additionally, if you do need
| |
| SSH agent forwarding (say for copying files between machines), you
| |
| should remember to logout as soon as you are done to not leave your
| |
| agent exposed.
| |
|
| |
| === Troubleshooting: ===
| |
|
| |
| * 'channel 0: open failed: administratively prohibited: open failed': If you receive this message for a machine proxied through bastion, then bastion was unable to connect to the host. This most likely means that tried to SSH to a nonexistent machine. You can debug this by trying to connect to that machine from bastion.
| |
| * if your local username is different from the one registered in FAS, please remember to set up a '''User''' variable (like above) where you specify your FAS username. If that's missing SSH will try to login by using your local username, thus it will fail.
| |
| * ssh -vv is very handy for debugging what sections are matching and what are not.
| |
| * If you get access denied several times in a row, please consult with #fedora-admin. If you try too many times with an invalid config your IP could be added to denyhosts.
| |
| * If you are running an OpenSSH version less than 5.4, then the -W option is not avaliable. In that case, use the following ProxyCommand line instead:
| |
| <pre>
| |
| ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p
| |
| </pre>
| |
|
| |
|
| [[Category:Infrastructure SOPs]] | | [[Category:Infrastructure SOPs]] |