|
|
| (2 intermediate revisions by 2 users not shown) |
| Line 1: |
Line 1: |
| | {{header|infra}} | | {{header|infra}} |
| | {{shortcut|ISOP:SSHACCESS}} | | {{shortcut|ISOP:SSHACCESS}} |
| | + | This SOP has moved to the fedora Infrastructure SOP git repo. Please see the current document at: http://infrastructure.fedoraproject.org/infra/docs/sshaccess.txt |
| | | | |
| − | == Contact Information ==
| + | For changes, questions or comments, please contact anyone in the Fedora Infrastructure team. |
| | | | |
| − | Owner: sysadmin-main
| |
| − |
| |
| − | Contact: #fedora-admin or admin@fedoraproject.org
| |
| − |
| |
| − | Location: PHX2
| |
| − |
| |
| − | Servers: All PHX2 Fedora machines
| |
| − |
| |
| − | Purpose: Access via ssh to Fedora project machines.
| |
| − |
| |
| − | === Introduction ===
| |
| − |
| |
| − | This page will contain some useful instructions about how you can safely
| |
| − | login into Fedora PHX2 machines successfully using a public key
| |
| − | authentication. As of 2011-05-27, all machines require a SSH key to
| |
| − | access. Password authentication will no longer work. Note that this SOP
| |
| − | has nothing to do with actually gaining access to specific machines. For
| |
| − | that you MUST be in the correct group for shell access to that machine.
| |
| − | This SOP simply describes the process once you do have valid and
| |
| − | appropriate shell access to a machine.
| |
| − |
| |
| − | === SSH configuration ===
| |
| − |
| |
| − | '''First of all: (on your local machine)'''
| |
| − |
| |
| − | <pre>
| |
| − | nano ~/.ssh/config
| |
| − | </pre>
| |
| − |
| |
| − | '''then,''' add the following:
| |
| − |
| |
| − | <pre>
| |
| − | Host *.phx2.fedoraproject.org *.fedoraproject.org fedorahosted.org *.fedorahosted.org fedorapeople.org
| |
| − | User FAS_USERNAME
| |
| − |
| |
| − | # Add other machines to this line as desired.
| |
| − | Host *.phx2.fedoraproject.org 10.5.125.* 10.5.126.* 10.5.127.*
| |
| − | ProxyCommand ssh -W %h:%p bastion.fedoraproject.org
| |
| − | </pre>
| |
| − |
| |
| − | One slight annoyance with this method is that you must include the
| |
| − | .phx2.fedoraproject.org part when you SSH to Fedora machines in order
| |
| − | for the connection to be tunneled through bastion. If this is an issue,
| |
| − | here are two possible ways to avoid it:
| |
| − |
| |
| − | 1. You can add aliases for each of the Fedora machines you login to by
| |
| − | modifying the Host line:
| |
| − | <pre>
| |
| − | Host *.phx2.fedoraproject.org 10.5.125.* 10.5.126.* 10.5.127.* puppet01 noc01 # list all hosts here
| |
| − | </pre>
| |
| − | 2. You can proxy everything through bastion by default and exclude hosts
| |
| − | that you connect to directly:
| |
| − | <pre>
| |
| − | # List all host you SSH to that are NOT Fedora machines
| |
| − | # make sure to include bastion here as well!
| |
| − | Host allyourlocalmachines bastion.fedoraproject.org
| |
| − | ProxyCommand none
| |
| − |
| |
| − | Host *
| |
| − | ProxyCommand ssh -W %h:%p bastion.fedoraproject.org
| |
| − | </pre>
| |
| − | Keep in mind that if bastion ever goes down and you need to access
| |
| − | things, you'll want to comment this section out.
| |
| − |
| |
| − | === SSH Agent forwarding ===
| |
| − |
| |
| − | You should normally have:
| |
| − |
| |
| − | <pre>
| |
| − | ForwardAgent no
| |
| − | </pre>
| |
| − |
| |
| − | For Fedora hosts (this is the default in OpenSSH). You can override this
| |
| − | on a per-session basis by using '-A' with ssh. SSH agents could be
| |
| − | misused if you connect to a compromised host with forwarding on (the
| |
| − | attacker can use your agent to authenticate them to anything you have
| |
| − | access to as long as you are logged in). Additionally, if you do need
| |
| − | SSH agent forwarding (say for copying files between machines), you
| |
| − | should remember to logout as soon as you are done to not leave your
| |
| − | agent exposed.
| |
| − |
| |
| − | === Troubleshooting: ===
| |
| − |
| |
| − | * 'channel 0: open failed: administratively prohibited: open failed': If you receive this message for a machine proxied through bastion, then bastion was unable to connect to the host. This most likely means that tried to SSH to a nonexistent machine. You can debug this by trying to connect to that machine from bastion.
| |
| − | * if your local username is different from the one registered in FAS, please remember to set up a '''User''' variable (like above) where you specify your FAS username. If that's missing SSH will try to login by using your local username, thus it will fail.
| |
| − | * ssh -vv is very handy for debugging what sections are matching and what are not.
| |
| − | * If you get access denied several times in a row, please consult with #fedora-admin. If you try too many times with an invalid config your IP could be added to denyhosts.
| |
| − | * If you are running an OpenSSH version less than 5.4, then the -W option is not avaliable. In that case, use the following ProxyCommand line instead:
| |
| − | <pre>
| |
| − | ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p
| |
| − | </pre>
| |
| | | | |
| | [[Category:Infrastructure SOPs]] | | [[Category:Infrastructure SOPs]] |
For changes, questions or comments, please contact anyone in the Fedora Infrastructure team.
