SSH Access Infrastructure SOP

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Readd VPN.)
(redirect page to new infra-docs)
 
(One intermediate revision by one user not shown)
Line 1: Line 1:
 
{{header|infra}}
 
{{header|infra}}
 
{{shortcut|ISOP:SSHACCESS}}
 
{{shortcut|ISOP:SSHACCESS}}
 +
This SOP has moved to the fedora Infrastructure SOP git repo. Please see the current document at: http://infrastructure.fedoraproject.org/infra/docs/sshaccess.txt
  
== Contact Information ==
+
For changes, questions or comments, please contact anyone in the Fedora Infrastructure team.
  
Owner: sysadmin-main
 
 
Contact: #fedora-admin or admin@fedoraproject.org
 
 
Location: PHX2
 
 
Servers: All PHX2 and VPN Fedora machines
 
 
Purpose: Access via ssh to Fedora project machines.
 
 
=== Introduction ===
 
 
This page will contain some useful instructions about how you can safely
 
login into Fedora PHX2 machines successfully using a public key
 
authentication. As of 2011-05-27, all machines require a SSH key to
 
access. Password authentication will no longer work. Note that this SOP
 
has nothing to do with actually gaining access to specific machines. For
 
that you MUST be in the correct group for shell access to that machine.
 
This SOP simply describes the process once you do have valid and
 
appropriate shell access to a machine.
 
 
=== SSH configuration ===
 
 
'''First of all: (on your local machine)'''
 
 
<pre>
 
nano ~/.ssh/config
 
</pre>
 
 
'''then,''' add the following:
 
 
<pre>
 
Host *.phx2.fedoraproject.org *.fedoraproject.org fedorahosted.org *.fedorahosted.org fedorapeople.org
 
    User FAS_USERNAME
 
 
# Add other machines to this line as desired.
 
Host *.phx2.fedoraproject.org 10.5.125.* 10.5.126.* 10.5.127.* *.vpn.fedoraproject.org
 
    ProxyCommand ssh -W %h:%p bastion.fedoraproject.org
 
</pre>
 
 
One slight annoyance with this method is that you must include the
 
.phx2.fedoraproject.org part when you SSH to Fedora machines in order
 
for the connection to be tunneled through bastion.  If this is an issue,
 
here are two possible ways to avoid it:
 
 
1. You can add aliases for each of the Fedora machines you login to by
 
modifying the Host line:
 
<pre>
 
Host *.phx2.fedoraproject.org 10.5.125.* 10.5.126.* 10.5.127.* *.vpn.fedoraproject.org puppet01 noc01 # list all hosts here
 
</pre>
 
2. You can proxy everything through bastion by default and exclude hosts
 
that you connect to directly:
 
<pre>
 
# List all host you SSH to that are NOT Fedora machines
 
# make sure to include bastion here as well!
 
Host allyourlocalmachines bastion.fedoraproject.org
 
    ProxyCommand none
 
 
Host *
 
    ProxyCommand ssh -W %h:%p bastion.fedoraproject.org
 
</pre>
 
Keep in mind that if bastion ever goes down and you need to access
 
things, you'll want to comment this section out.
 
 
=== SSH Agent forwarding ===
 
 
You should normally have:
 
 
<pre>
 
ForwardAgent no
 
</pre>
 
 
For Fedora hosts (this is the default in OpenSSH). You can override this
 
on a per-session basis by using '-A' with ssh. SSH agents could be
 
misused if you connect to a compromised host with forwarding on (the
 
attacker can use your agent to authenticate them to anything you have
 
access to as long as you are logged in).  Additionally, if you do need
 
SSH agent forwarding (say for copying files between machines), you
 
should remember to logout as soon as you are done to not leave your
 
agent exposed.
 
 
=== Troubleshooting: ===
 
 
* 'channel 0: open failed: administratively prohibited: open failed': If you receive this message for a machine proxied through bastion, then bastion was unable to connect to the host.  This most likely means that tried to SSH to a nonexistent machine.  You can debug this by trying to connect to that machine from bastion.
 
* if your local username is different from the one registered in FAS, please remember to set up a '''User''' variable (like above) where you specify your FAS username. If that's missing SSH will try to login by using your local username, thus it will fail.
 
* ssh -vv is very handy for debugging what sections are matching and what are not.
 
* If you get access denied several times in a row, please consult with #fedora-admin. If you try too many times with an invalid config your IP could be added to denyhosts.
 
* If you are running an OpenSSH version less than 5.4, then the -W option is not avaliable.  In that case, use the following ProxyCommand line instead:
 
<pre>
 
ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p
 
</pre>
 
  
 
[[Category:Infrastructure SOPs]]
 
[[Category:Infrastructure SOPs]]

Latest revision as of 19:03, 19 December 2011

Infrastructure InfrastructureTeamN1.png
Shortcut:
ISOP:SSHACCESS

This SOP has moved to the fedora Infrastructure SOP git repo. Please see the current document at: http://infrastructure.fedoraproject.org/infra/docs/sshaccess.txt

For changes, questions or comments, please contact anyone in the Fedora Infrastructure team.