SSH Access Infrastructure SOP

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(fix line)
(Some restructuring and additions.)
Line 8: Line 8:
 
Contact: #fedora-admin or admin@fedoraproject.org
 
Contact: #fedora-admin or admin@fedoraproject.org
  
Location: All fedora machines
+
Location: PHX2
  
Servers: All fedora machines
+
Servers: All PHX2 Fedora machines
  
 
Purpose: Access via ssh to Fedora project machines.  
 
Purpose: Access via ssh to Fedora project machines.  
Line 16: Line 16:
 
=== Introduction ===
 
=== Introduction ===
  
This page will contain some useful instructions about how you can safely login into Fedora internal machines successfully using a PubAuthKey authentication. As of 2011-05-27, all machines require a SSH key to access. Password authentication will no longer work. Note that this SOP has nothing
+
This page will contain some useful instructions about how you can safely
to do with actually gaining access to specific machines. For that you MUST be in the correct group for shell access to that machine. This SOP
+
login into Fedora PHX2 machines successfully using a public key
simply describes the process once you do have valid and appropriate shell access to a machine.  
+
authentication. As of 2011-05-27, all machines require a SSH key to
 +
access. Password authentication will no longer work. Note that this SOP
 +
has nothing to do with actually gaining access to specific machines. For
 +
that you MUST be in the correct group for shell access to that machine.
 +
This SOP simply describes the process once you do have valid and
 +
appropriate shell access to a machine.  
  
=== Single host example ===
+
=== SSH configuration ===
  
 
'''First of all: (on your local machine)'''
 
'''First of all: (on your local machine)'''
  
 
<pre>
 
<pre>
cd /home/user/.ssh
+
nano ~/.ssh/config
touch config && nano config
+
 
</pre>
 
</pre>
  
'''Note:''' You'll need to create an entry for every internal machine you plan to log in to, or create wildcard entries.
+
'''then,''' add the following:
  
'''Note2:''' This example is valid only if you are trying to login into puppet01 to commit your changes to Infrastructure's Puppet tree. (see Note1)
+
<pre>
 +
Host *.phx2.fedoraproject.org *.fedoraproject.org fedorahosted.org *.fedorahosted.org fedorapeople.org
 +
    User FAS_USERNAME
  
'''then,''' edit it as it follows:
+
# Add other machines to this line as desired.
 
+
Host *.phx2.fedoraproject.org 10.5.125.* 10.5.126.* 10.5.127.*
<pre>
+
    ProxyCommand ssh -W %h:%p bastion.fedoraproject.org
Host puppet01 puppet1 puppet01.fedoraproject.org
+
  Hostname %h (or if it doesn't resolve, go ahead to the troubleshooting section)
+
  User FASUID (you don't need this if your local UID and your FAS one correspond)
+
  ProxyCommand ssh -q FASUID@bastion.fedoraproject.org /usr/bin/nc %h 22
+
 
</pre>
 
</pre>
  
=== WildCard setup example ===
+
One slight annoyance with this method is that you must include the
 
+
.phx2.fedoraproject.org part when you SSH to Fedora machines in order
You can also setup wildcards so you don't have to enter a entry as above for each host.  
+
for the connection to be tunneled through bastion. If this is an issue,
 +
here are two possible ways to avoid it:
  
 +
1. You can add aliases for each of the Fedora machines you login to by
 +
modifying the Host line:
 
<pre>
 
<pre>
 +
Host *.phx2.fedoraproject.org 10.5.125.* 10.5.126.* 10.5.127.* puppet01 noc01 # list all hosts here
 +
</pre>
 +
2. You can proxy everything through bastion by default and exclude hosts
 +
that you connect to directly:
 +
<pre>
 +
# List all host you SSH to that are NOT Fedora machines
 +
# make sure to include bastion here as well!
 
Host allyourlocalmachines bastion.fedoraproject.org  
 
Host allyourlocalmachines bastion.fedoraproject.org  
(add here any host you ssh to that is NOT a Fedora machine as well as bastion)
+
    ProxyCommand none
  ProxyCommand none
+
  
 
Host *
 
Host *
  Hostname %h
+
    ProxyCommand ssh -W %h:%p bastion.fedoraproject.org
  ProxyCommand ssh -q %u@bastion.fedoraproject.org /usr/bin/nc %h 22
+
 
</pre>
 
</pre>
 
+
Keep in mind that if bastion ever goes down and you need to access
This will match the first entry for those specific hosts you wish to go to directly, and pass all the rest via bastion.
+
things, you'll want to comment this section out.
You may need to set:
+
 
+
<pre>
+
export LOCALDOMAIN="fedoraproject.org vpn.fedoraproject.org phx2.fedoraproject.org"
+
</pre>
+
 
+
In order to do simple 'ssh puppet01' type commands.  
+
  
 
=== SSH Agent forwarding ===
 
=== SSH Agent forwarding ===
Line 70: Line 73:
  
 
<pre>
 
<pre>
    ForwardAgent no
+
ForwardAgent no
 
</pre>
 
</pre>
  
For Fedora hosts. You can override this on a session basis by using '-A' with ssh. SSH agents could be misused if you connect to a compromised
+
For Fedora hosts (this is the default in OpenSSH). You can override this
host with forwarding on (the attacker can use your agent to authenticate them to anything you have access to as long as you are logged in).  
+
on a per-session basis by using '-A' with ssh. SSH agents could be
Additionally, if you do need ssh agent forwarding (say for copying files between machines), you should remember to logout as soon as you are  
+
misused if you connect to a compromised host with forwarding on (the
done to not leave your agent exposed.  
+
attacker can use your agent to authenticate them to anything you have
 +
access to as long as you are logged in). Additionally, if you do need
 +
SSH agent forwarding (say for copying files between machines), you
 +
should remember to logout as soon as you are done to not leave your
 +
agent exposed.  
  
 
=== Troubleshooting: ===
 
=== Troubleshooting: ===
  
* 'nc: getaddrinfo: Name or service not known', replace '''Hostname %h''' with '''Hostname 10.5.126.23''' (this is puppet's IP, so it will be different by machine to machine)
+
* 'channel 0: open failed: administratively prohibited: open failed': If you receive this message for a machine proxied through bastion, then bastion was unable to connect to the host. This most likely means that tried to SSH to a nonexistent machine. You can debug this by trying to connect to that machine from bastion.
* if your local UID is different from the one registered in FAS, please remember to set up a '''User''' variable (like above) where you specify your FAS UID. If that's missing SSH will try to login by using your local UID, thus it will fail.
+
* if your local username is different from the one registered in FAS, please remember to set up a '''User''' variable (like above) where you specify your FAS username. If that's missing SSH will try to login by using your local username, thus it will fail.
* If you can't resolve a hostname like 'puppet01' you may need the LOCALDOMAIN export above.  
+
 
* ssh -vv is very handy for debugging what sections are matching and what are not.  
 
* ssh -vv is very handy for debugging what sections are matching and what are not.  
 
* If you get access denied several times in a row, please consult with #fedora-admin. If you try too many times with an invalid config your IP could be added to denyhosts.  
 
* If you get access denied several times in a row, please consult with #fedora-admin. If you try too many times with an invalid config your IP could be added to denyhosts.  
 +
* If you are running an OpenSSH version less than 5.4, then the -W option is not avaliable.  In that case, use the following ProxyCommand line instead:
 +
<pre>
 +
ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p
 +
</pre>
  
 
[[Category:Infrastructure SOPs]]
 
[[Category:Infrastructure SOPs]]

Revision as of 16:30, 28 May 2011

Infrastructure InfrastructureTeamN1.png
Shortcut:
ISOP:SSHACCESS

Contents

Contact Information

Owner: sysadmin-main

Contact: #fedora-admin or admin@fedoraproject.org

Location: PHX2

Servers: All PHX2 Fedora machines

Purpose: Access via ssh to Fedora project machines.

Introduction

This page will contain some useful instructions about how you can safely login into Fedora PHX2 machines successfully using a public key authentication. As of 2011-05-27, all machines require a SSH key to access. Password authentication will no longer work. Note that this SOP has nothing to do with actually gaining access to specific machines. For that you MUST be in the correct group for shell access to that machine. This SOP simply describes the process once you do have valid and appropriate shell access to a machine.

SSH configuration

First of all: (on your local machine)

nano ~/.ssh/config

then, add the following:

Host *.phx2.fedoraproject.org *.fedoraproject.org fedorahosted.org *.fedorahosted.org fedorapeople.org
    User FAS_USERNAME

# Add other machines to this line as desired.
Host *.phx2.fedoraproject.org 10.5.125.* 10.5.126.* 10.5.127.*
    ProxyCommand ssh -W %h:%p bastion.fedoraproject.org

One slight annoyance with this method is that you must include the .phx2.fedoraproject.org part when you SSH to Fedora machines in order for the connection to be tunneled through bastion. If this is an issue, here are two possible ways to avoid it:

1. You can add aliases for each of the Fedora machines you login to by modifying the Host line:

Host *.phx2.fedoraproject.org 10.5.125.* 10.5.126.* 10.5.127.* puppet01 noc01 # list all hosts here

2. You can proxy everything through bastion by default and exclude hosts that you connect to directly:

# List all host you SSH to that are NOT Fedora machines
# make sure to include bastion here as well!
Host allyourlocalmachines bastion.fedoraproject.org 
    ProxyCommand none

Host *
    ProxyCommand ssh -W %h:%p bastion.fedoraproject.org

Keep in mind that if bastion ever goes down and you need to access things, you'll want to comment this section out.

SSH Agent forwarding

You should normally have:

ForwardAgent no

For Fedora hosts (this is the default in OpenSSH). You can override this on a per-session basis by using '-A' with ssh. SSH agents could be misused if you connect to a compromised host with forwarding on (the attacker can use your agent to authenticate them to anything you have access to as long as you are logged in). Additionally, if you do need SSH agent forwarding (say for copying files between machines), you should remember to logout as soon as you are done to not leave your agent exposed.

Troubleshooting:

  • 'channel 0: open failed: administratively prohibited: open failed': If you receive this message for a machine proxied through bastion, then bastion was unable to connect to the host. This most likely means that tried to SSH to a nonexistent machine. You can debug this by trying to connect to that machine from bastion.
  • if your local username is different from the one registered in FAS, please remember to set up a User variable (like above) where you specify your FAS username. If that's missing SSH will try to login by using your local username, thus it will fail.
  • ssh -vv is very handy for debugging what sections are matching and what are not.
  • If you get access denied several times in a row, please consult with #fedora-admin. If you try too many times with an invalid config your IP could be added to denyhosts.
  • If you are running an OpenSSH version less than 5.4, then the -W option is not avaliable. In that case, use the following ProxyCommand line instead:
ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p