2021-07-26 10:39:47 +02:00
|
|
|
= SSH Access Infrastructure SOP
|
|
|
|
|
|
|
|
|
|
== Contents
|
|
|
|
|
|
|
|
|
|
[arabic]
|
2021-09-10 15:06:06 +02:00
|
|
|
* <<_contact_information>>
|
|
|
|
|
* <<_introduction>>
|
|
|
|
|
* <<_ssh_configuration>>
|
|
|
|
|
* <<_ssh_agent_forwarding>>
|
|
|
|
|
* <<_troubleshooting>>
|
2021-07-26 10:39:47 +02:00
|
|
|
|
|
|
|
|
== Contact Information
|
|
|
|
|
|
|
|
|
|
Owner::
|
|
|
|
|
sysadmin-main
|
|
|
|
|
Contact::
|
|
|
|
|
#fedora-admin or admin@fedoraproject.org
|
|
|
|
|
Location::
|
|
|
|
|
IAD2
|
|
|
|
|
Servers::
|
|
|
|
|
All IAD2 and VPN Fedora machines
|
|
|
|
|
Purpose::
|
|
|
|
|
Access via ssh to Fedora project machines.
|
|
|
|
|
|
|
|
|
|
== Introduction
|
|
|
|
|
|
|
|
|
|
This page will contain some useful instructions about how you can safely
|
2021-09-10 15:06:06 +02:00
|
|
|
login into Fedora IAD2 machines successfully using a public key
|
2021-07-26 10:39:47 +02:00
|
|
|
authentication. As of 2011-05-27, all machines require a SSH key to
|
|
|
|
|
access. Password authentication will no longer work. Note that this SOP
|
|
|
|
|
has nothing to do with actually gaining access to specific machines. For
|
|
|
|
|
that you MUST be in the correct group for shell access to that machine.
|
|
|
|
|
This SOP simply describes the process once you do have valid and
|
|
|
|
|
appropriate shell access to a machine.
|
|
|
|
|
|
|
|
|
|
== SSH configuration
|
|
|
|
|
|
|
|
|
|
First of all: (on your local machine):
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
vi ~/.ssh/config
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
[NOTE]
|
|
|
|
|
====
|
|
|
|
|
This file, and any keys, need to be chmod 600, or you will get a "Bad
|
|
|
|
|
owner or permissions" error. The .ssh directory must be mode 700.
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
then, add the following:
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
Host bastion.fedoraproject.org
|
|
|
|
|
HostName bastion-iad01.fedoraproject.org
|
|
|
|
|
User FAS_USERNAME (all lowercase)
|
|
|
|
|
ProxyCommand none
|
|
|
|
|
ForwardAgent no
|
|
|
|
|
Host *.iad2.fedoraproject.org *.qa.fedoraproject.org 10.3.160.* 10.3.161.* 10.3.163.* 10.3.165.* 10.3.167.* *.vpn.fedoraproject.org batcave01
|
|
|
|
|
User FAS_USERNAME (all lowercase)
|
|
|
|
|
ProxyCommand ssh -W %h:%p bastion.fedoraproject.org
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
How ProxyCommand works?
|
|
|
|
|
|
|
|
|
|
A connection is established to the bastion host:
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
+-------+ +--------------+
|
|
|
|
|
| you | ---ssh---> | bastion host |
|
|
|
|
|
+-------+ +--------------+
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
Bastion host establish a connction to the target server:
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
+--------------+ +--------+
|
|
|
|
|
| bastion host | -------> | server |
|
|
|
|
|
+--------------+ +--------+
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
Your client then connects through the Bastion and reaches the target
|
|
|
|
|
server:
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
+-----+ +--------------+ +--------+
|
|
|
|
|
| you | | bastion host | | server |
|
|
|
|
|
| | ===ssh=over=bastion============================> | |
|
|
|
|
|
+-----+ +--------------+ +--------+
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
== PuTTY SSH configuration
|
|
|
|
|
|
|
|
|
|
You can configure Putty the same way by doing this:
|
|
|
|
|
|
|
|
|
|
[arabic, start=0]
|
2021-09-10 15:06:06 +02:00
|
|
|
. In the session section type _batcave01.fedoraproject.org_ port 22
|
2021-07-26 10:39:47 +02:00
|
|
|
. In Connection:Data enter your FAS_USERNAME
|
|
|
|
|
. In Connection:Proxy add the proxy settings
|
|
|
|
|
|
|
|
|
|
____
|
|
|
|
|
* ProxyHostname is bastion-iad01.fedoraproject.org
|
|
|
|
|
* Port 22
|
|
|
|
|
* Username FAS_USERNAME
|
2021-09-10 15:06:06 +02:00
|
|
|
* Proxy Command `plink %user@%proxyhost %host:%port`
|
2021-07-26 10:39:47 +02:00
|
|
|
____
|
|
|
|
|
|
|
|
|
|
[arabic, start=3]
|
|
|
|
|
. In Connection:SSH:Auth remember to insert the same key file for
|
|
|
|
|
authentication you have used on FAS profile
|
|
|
|
|
|
|
|
|
|
== SSH Agent forwarding
|
|
|
|
|
|
|
|
|
|
You should normally have:
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
ForwardAgent no
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
For Fedora hosts (this is the default in OpenSSH). You can override this
|
|
|
|
|
on a per-session basis by using '-A' with ssh. SSH agents could be
|
|
|
|
|
misused if you connect to a compromised host with forwarding on (the
|
|
|
|
|
attacker can use your agent to authenticate them to anything you have
|
|
|
|
|
access to as long as you are logged in). Additionally, if you do need
|
|
|
|
|
SSH agent forwarding (say for copying files between machines), you
|
|
|
|
|
should remember to logout as soon as you are done to not leave your
|
|
|
|
|
agent exposed.
|
|
|
|
|
|
|
|
|
|
== Troubleshooting
|
|
|
|
|
|
|
|
|
|
* 'channel 0: open failed: administratively prohibited: open failed'
|
|
|
|
|
+
|
|
|
|
|
____
|
|
|
|
|
If you receive this message for a machine proxied through bastion, then
|
|
|
|
|
bastion was unable to connect to the host. This most likely means that
|
|
|
|
|
tried to SSH to a nonexistent machine. You can debug this by trying to
|
|
|
|
|
connect to that machine from bastion.
|
|
|
|
|
____
|
2021-09-10 15:06:06 +02:00
|
|
|
* if your local username is different from the one registered in FAS,
|
|
|
|
|
please remember to set up a User variable (like above) where you
|
|
|
|
|
specify your FAS username. If that's missing SSH will try to login by
|
|
|
|
|
using your local username, thus it will fail.
|
|
|
|
|
* `ssh -vv` is very handy for debugging what sections are matching and
|
|
|
|
|
what are not.
|
|
|
|
|
* If you get access denied several times in a row, please consult with
|
|
|
|
|
#fedora-admin. If you try too many times with an invalid config your
|
|
|
|
|
IP could be added to denyhosts.
|
|
|
|
|
* If you are running an OpenSSH version less than 5.4, then the -W
|
|
|
|
|
option is not available. In that case, use the following ProxyCommand
|
|
|
|
|
line instead:
|
2021-07-26 10:39:47 +02:00
|
|
|
+
|
|
|
|
|
....
|
|
|
|
|
ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p
|
|
|
|
|
....
|
