|
|
| (4 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| | {{header|infra}} | | {{header|infra}} |
| | {{shortcut|ISOP:SSHACCESS}} | | {{shortcut|ISOP:SSHACCESS}} |
| | + | This SOP has moved to the fedora Infrastructure SOP git repo. Please see the current document at: http://infrastructure.fedoraproject.org/infra/docs/sshaccess.txt |
| | | | |
| − | == Contact Information ==
| + | For changes, questions or comments, please contact anyone in the Fedora Infrastructure team. |
| | | | |
| − | Owner: sysadmin-main
| |
| − |
| |
| − | Contact: #fedora-admin or admin@fedoraproject.org
| |
| − |
| |
| − | Location: All fedora machines
| |
| − |
| |
| − | Servers: All fedora machines
| |
| − |
| |
| − | Purpose: Access via ssh to Fedora project machines.
| |
| − |
| |
| − | === Introduction ===
| |
| − |
| |
| − | This page will contain some useful instructions about how you can safely login into Fedora internal machines successfully using a PubAuthKey authentication. As of 2011-05-27, all machines require a SSH key to access. Password authentication will no longer work. Note that this SOP has nothing
| |
| − | to do with actually gaining access to specific machines. For that you MUST be in the correct group for shell access to that machine. This SOP
| |
| − | simply describes the process once you do have valid and appropriate shell access to a machine.
| |
| − |
| |
| − | === Single host example ===
| |
| − |
| |
| − | '''First of all: (on your local machine)'''
| |
| − |
| |
| − | <pre>
| |
| − | cd /home/user/.ssh
| |
| − | touch config && nano config
| |
| − | </pre>
| |
| − |
| |
| − | '''Note:''' You'll need to create an entry for every internal machine you plan to log in to, or create wildcard entries.
| |
| − |
| |
| − | '''Note2:''' This example is valid only if you are trying to login into puppet01 to commit your changes to Infrastructure's Puppet tree. (see Note1)
| |
| − |
| |
| − | '''then,''' edit it as it follows:
| |
| − |
| |
| − | <pre>
| |
| − | Host puppet01 puppet1 puppet01.fedoraproject.org
| |
| − | Hostname %h (or if it doesn't resolve, go ahead to the troubleshooting section)
| |
| − | User FASUID (you don't need this if your local UID and your FAS one correspond)
| |
| − | ProxyCommand ssh -q FASUID@bastion.fedoraproject.org /usr/bin/nc %h 22
| |
| − | </pre>
| |
| − |
| |
| − | === WildCard setup example ===
| |
| − |
| |
| − | You can also setup wildcards so you don't have to enter a entry as above for each host.
| |
| − |
| |
| − | <pre>
| |
| − | Host allyourlocalmachines bastion.fedoraproject.org (add here any host you ssh to that is NOT a Fedora machine as well as bastion)
| |
| − | ProxyCommand none
| |
| − |
| |
| − | Host *
| |
| − | Hostname %h
| |
| − | ProxyCommand ssh -q %u@bastion.fedoraproject.org /usr/bin/nc %h 22
| |
| − | </pre>
| |
| − |
| |
| − | This will match the first entry for those specific hosts you wish to go to directly, and pass all the rest via bastion.
| |
| − | You may need to set:
| |
| − |
| |
| − | <pre>
| |
| − | export LOCALDOMAIN="fedoraproject.org vpn.fedoraproject.org phx2.fedoraproject.org"
| |
| − | </pre>
| |
| − |
| |
| − | In order to do simple 'ssh puppet01' type commands.
| |
| − |
| |
| − | === SSH Agent forwarding ===
| |
| − |
| |
| − | You should normally have:
| |
| − |
| |
| − | <pre>
| |
| − | ForwardAgent no
| |
| − | </pre>
| |
| − |
| |
| − | For Fedora hosts. You can override this on a session basis by using '-A' with ssh. SSH agents could be misused if you connect to a compromised
| |
| − | host with forwarding on (the attacker can use your agent to authenticate them to anything you have access to as long as you are logged in).
| |
| − | Additionally, if you do need ssh agent forwarding (say for copying files between machines), you should remember to logout as soon as you are
| |
| − | done to not leave your agent exposed.
| |
| − |
| |
| − | === Troubleshooting: ===
| |
| − |
| |
| − | * 'nc: getaddrinfo: Name or service not known', replace '''Hostname %h''' with '''Hostname 10.5.126.23''' (this is puppet's IP, so it will be different by machine to machine)
| |
| − | * if your local UID is different from the one registered in FAS, please remember to set up a '''User''' variable (like above) where you specify your FAS UID. If that's missing SSH will try to login by using your local UID, thus it will fail.
| |
| − | * If you can't resolve a hostname like 'puppet01' you may need the LOCALDOMAIN export above.
| |
| − | * ssh -vv is very handy for debugging what sections are matching and what are not.
| |
| − | * If you get access denied several times in a row, please consult with #fedora-admin. If you try too many times with an invalid config your IP could be added to denyhosts.
| |
| | | | |
| | [[Category:Infrastructure SOPs]] | | [[Category:Infrastructure SOPs]] |
For changes, questions or comments, please contact anyone in the Fedora Infrastructure team.
