SSH Access Infrastructure SOP

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(add more info)
(redirect page to new infra-docs)
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
{{header|infra}}
 
{{header|infra}}
 
{{shortcut|ISOP:SSHACCESS}}
 
{{shortcut|ISOP:SSHACCESS}}
 +
This SOP has moved to the fedora Infrastructure SOP git repo. Please see the current document at: http://infrastructure.fedoraproject.org/infra/docs/sshaccess.txt
  
== Contact Information ==
+
For changes, questions or comments, please contact anyone in the Fedora Infrastructure team.
  
Owner: sysadmin-main
 
 
Contact: #fedora-admin or admin@fedoraproject.org
 
 
Location: All fedora machines
 
 
Servers: All fedora machines
 
 
Purpose: Access via ssh to Fedora project machines.
 
 
=== Introduction ===
 
 
This page will contain some useful instructions about how you can safely login into Fedora internal machines successfully using a PubAuthKey authentication. As of 2011-05-27, all machines require a SSH key to access. Password authentication will no longer work. Note that this SOP has nothing
 
to do with actually gaining access to specific machines. For that you MUST be in the correct group for shell access to that machine. This SOP
 
simply describes the process once you do have valid and appropriate shell access to a machine.
 
 
=== Single host example ===
 
 
'''First of all: (on your local machine)'''
 
 
<pre>
 
cd /home/user/.ssh
 
touch config && nano config
 
</pre>
 
 
'''Note:''' You'll need to create an entry for every internal machine you plan to log in to, or create wildcard entries.
 
 
'''Note2:''' This example is valid only if you are trying to login into puppet01 to commit your changes to Infrastructure's Puppet tree. (see Note1)
 
 
'''then,''' edit it as it follows:
 
 
<pre>
 
Host puppet01 puppet1 puppet01.fedoraproject.org
 
  Hostname %h (or if it doesn't resolve, go ahead to the troubleshooting section)
 
  User FASUID (you don't need this if your local UID and your FAS one correspond)
 
  ProxyCommand ssh -q FASUID@bastion.fedoraproject.org /usr/bin/nc %h 22
 
</pre>
 
 
=== WildCard setup example ===
 
 
You can also setup wildcards so you don't have to enter a entry as above for each host.
 
 
<pre>
 
Host allyourlocalmachines bastion.fedoraproject.org (add here any host you ssh to that is NOT a Fedora machine as well as bastion)
 
  ProxyCommand none
 
 
Host *
 
  Hostname %h
 
  ProxyCommand ssh -q %u@bastion.fedoraproject.org /usr/bin/nc %h 22
 
</pre>
 
 
This will match the first entry for those specific hosts you wish to go to directly, and pass all the rest via bastion.
 
You may need to set:
 
 
<pre>
 
export LOCALDOMAIN="fedoraproject.org vpn.fedoraproject.org phx2.fedoraproject.org"
 
</pre>
 
 
In order to do simple 'ssh puppet01' type commands.
 
 
=== SSH Agent forwarding ===
 
 
You should normally have:
 
 
<pre>
 
    ForwardAgent no
 
</pre>
 
 
For Fedora hosts. You can override this on a session basis by using '-A' with ssh. SSH agents could be misused if you connect to a compromised
 
host with forwarding on (the attacker can use your agent to authenticate them to anything you have access to as long as you are logged in).
 
Additionally, if you do need ssh agent forwarding (say for copying files between machines), you should remember to logout as soon as you are
 
done to not leave your agent exposed.
 
 
=== Troubleshooting: ===
 
 
* 'nc: getaddrinfo: Name or service not known', replace '''Hostname %h''' with '''Hostname 10.5.126.23''' (this is puppet's IP, so it will be different by machine to machine)
 
* if your local UID is different from the one registered in FAS, please remember to set up a '''User''' variable (like above) where you specify your FAS UID. If that's missing SSH will try to login by using your local UID, thus it will fail.
 
* If you can't resolve a hostname like 'puppet01' you may need the LOCALDOMAIN export above.
 
* ssh -vv is very handy for debugging what sections are matching and what are not.
 
* If you get access denied several times in a row, please consult with #fedora-admin. If you try too many times with an invalid config your IP could be added to denyhosts.
 
  
 
[[Category:Infrastructure SOPs]]
 
[[Category:Infrastructure SOPs]]

Latest revision as of 19:03, 19 December 2011

Infrastructure InfrastructureTeamN1.png
Shortcut:
ISOP:SSHACCESS

This SOP has moved to the fedora Infrastructure SOP git repo. Please see the current document at: http://infrastructure.fedoraproject.org/infra/docs/sshaccess.txt

For changes, questions or comments, please contact anyone in the Fedora Infrastructure team.