From 9cecc4a4ae5da751c36653b181c95a2149f5fad8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Kone=C4=8Dn=C3=BD?= Date: Fri, 10 Sep 2021 15:06:06 +0200 Subject: [PATCH] Review sshaccess SOP MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Michal Konečný --- modules/sysadmin_guide/nav.adoc | 2 +- modules/sysadmin_guide/pages/sshaccess.adoc | 49 +++++++++------------ 2 files changed, 21 insertions(+), 30 deletions(-) diff --git a/modules/sysadmin_guide/nav.adoc b/modules/sysadmin_guide/nav.adoc index 92d26d2..ce5efb2 100644 --- a/modules/sysadmin_guide/nav.adoc +++ b/modules/sysadmin_guide/nav.adoc @@ -100,7 +100,7 @@ ** xref:selinux.adoc[SELinux Infrastructure - SOP] ** xref:sigul-upgrade.adoc[Sigul servers upgrades/reboots - SOP] ** xref:simple_koji_ci.adoc[simple_koji_ci - SOP] -** xref:sshaccess.adoc[sshaccess - SOP in review ] +** xref:sshaccess.adoc[SSH Access Infrastructure - SOP] ** xref:sshknownhosts.adoc[sshknownhosts - SOP in review ] ** xref:staging.adoc[staging - SOP in review ] ** xref:status-fedora.adoc[status-fedora - SOP in review ] diff --git a/modules/sysadmin_guide/pages/sshaccess.adoc b/modules/sysadmin_guide/pages/sshaccess.adoc index 4c3d5d6..fb5747e 100644 --- a/modules/sysadmin_guide/pages/sshaccess.adoc +++ b/modules/sysadmin_guide/pages/sshaccess.adoc @@ -3,11 +3,11 @@ == Contents [arabic] -. Contact Information -. Introduction -. SSH configuration -. SSH Agent forwarding -. Troubleshooting +* <<_contact_information>> +* <<_introduction>> +* <<_ssh_configuration>> +* <<_ssh_agent_forwarding>> +* <<_troubleshooting>> == Contact Information @@ -25,7 +25,7 @@ Purpose:: == Introduction This page will contain some useful instructions about how you can safely -login into Fedora PHX2 machines successfully using a public key +login into Fedora IAD2 machines successfully using a public key authentication. As of 2011-05-27, all machines require a SSH key to access. Password authentication will no longer work. Note that this SOP has nothing to do with actually gaining access to specific machines. For @@ -42,7 +42,6 @@ vi ~/.ssh/config .... [NOTE] -.Note ==== This file, and any keys, need to be chmod 600, or you will get a "Bad owner or permissions" error. The .ssh directory must be mode 700. @@ -94,7 +93,7 @@ server: You can configure Putty the same way by doing this: [arabic, start=0] -. In the session section type batcave01.fedoraproject.org port 22 +. In the session section type _batcave01.fedoraproject.org_ port 22 . In Connection:Data enter your FAS_USERNAME . In Connection:Proxy add the proxy settings @@ -102,7 +101,7 @@ ____ * ProxyHostname is bastion-iad01.fedoraproject.org * Port 22 * Username FAS_USERNAME -* Proxy Command plink %user@%proxyhost %host:%port +* Proxy Command `plink %user@%proxyhost %host:%port` ____ [arabic, start=3] @@ -136,27 +135,19 @@ bastion was unable to connect to the host. This most likely means that tried to SSH to a nonexistent machine. You can debug this by trying to connect to that machine from bastion. ____ -* {blank} +* if your local username is different from the one registered in FAS, +please remember to set up a User variable (like above) where you +specify your FAS username. If that's missing SSH will try to login by +using your local username, thus it will fail. +* `ssh -vv` is very handy for debugging what sections are matching and +what are not. +* If you get access denied several times in a row, please consult with +#fedora-admin. If you try too many times with an invalid config your +IP could be added to denyhosts. +* If you are running an OpenSSH version less than 5.4, then the -W +option is not available. In that case, use the following ProxyCommand +line instead: + -if your local username is different from the one registered in FAS,:: - please remember to set up a User variable (like above) where you - specify your FAS username. If that's missing SSH will try to login by - using your local username, thus it will fail. -* {blank} -+ -ssh -vv is very handy for debugging what sections are matching and:: - what are not. -* {blank} -+ -If you get access denied several times in a row, please consult with:: - #fedora-admin. If you try too many times with an invalid config your - IP could be added to denyhosts. -* {blank} -+ -If you are running an OpenSSH version less than 5.4, then the -W:: - option is not available. In that case, use the following ProxyCommand - line instead: - + .... ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p ....