Added the infra SOPs ported to asciidoc.
This commit is contained in:
Adam Saleh
parent
8a7f111a12
commit
a0301e30f1
148 changed files with 18575 additions and 17 deletions
162
modules/sysadmin_guide/pages/sshaccess.adoc
Normal file
162
modules/sysadmin_guide/pages/sshaccess.adoc
Normal file
|
|
@ -0,0 +1,162 @@
|
|||
= SSH Access Infrastructure SOP
|
||||
|
||||
== Contents
|
||||
|
||||
[arabic]
|
||||
. Contact Information
|
||||
. Introduction
|
||||
. SSH configuration
|
||||
. SSH Agent forwarding
|
||||
. Troubleshooting
|
||||
|
||||
== Contact Information
|
||||
|
||||
Owner::
|
||||
sysadmin-main
|
||||
Contact::
|
||||
#fedora-admin or admin@fedoraproject.org
|
||||
Location::
|
||||
IAD2
|
||||
Servers::
|
||||
All IAD2 and VPN Fedora machines
|
||||
Purpose::
|
||||
Access via ssh to Fedora project machines.
|
||||
|
||||
== Introduction
|
||||
|
||||
This page will contain some useful instructions about how you can safely
|
||||
login into Fedora PHX2 machines successfully using a public key
|
||||
authentication. As of 2011-05-27, all machines require a SSH key to
|
||||
access. Password authentication will no longer work. Note that this SOP
|
||||
has nothing to do with actually gaining access to specific machines. For
|
||||
that you MUST be in the correct group for shell access to that machine.
|
||||
This SOP simply describes the process once you do have valid and
|
||||
appropriate shell access to a machine.
|
||||
|
||||
== SSH configuration
|
||||
|
||||
First of all: (on your local machine):
|
||||
|
||||
....
|
||||
vi ~/.ssh/config
|
||||
....
|
||||
|
||||
[NOTE]
|
||||
.Note
|
||||
====
|
||||
This file, and any keys, need to be chmod 600, or you will get a "Bad
|
||||
owner or permissions" error. The .ssh directory must be mode 700.
|
||||
====
|
||||
|
||||
then, add the following:
|
||||
|
||||
....
|
||||
Host bastion.fedoraproject.org
|
||||
HostName bastion-iad01.fedoraproject.org
|
||||
User FAS_USERNAME (all lowercase)
|
||||
ProxyCommand none
|
||||
ForwardAgent no
|
||||
Host *.iad2.fedoraproject.org *.qa.fedoraproject.org 10.3.160.* 10.3.161.* 10.3.163.* 10.3.165.* 10.3.167.* *.vpn.fedoraproject.org batcave01
|
||||
User FAS_USERNAME (all lowercase)
|
||||
ProxyCommand ssh -W %h:%p bastion.fedoraproject.org
|
||||
....
|
||||
|
||||
How ProxyCommand works?
|
||||
|
||||
A connection is established to the bastion host:
|
||||
|
||||
....
|
||||
+-------+ +--------------+
|
||||
| you | ---ssh---> | bastion host |
|
||||
+-------+ +--------------+
|
||||
....
|
||||
|
||||
Bastion host establish a connction to the target server:
|
||||
|
||||
....
|
||||
+--------------+ +--------+
|
||||
| bastion host | -------> | server |
|
||||
+--------------+ +--------+
|
||||
....
|
||||
|
||||
Your client then connects through the Bastion and reaches the target
|
||||
server:
|
||||
|
||||
....
|
||||
+-----+ +--------------+ +--------+
|
||||
| you | | bastion host | | server |
|
||||
| | ===ssh=over=bastion============================> | |
|
||||
+-----+ +--------------+ +--------+
|
||||
....
|
||||
|
||||
== PuTTY SSH configuration
|
||||
|
||||
You can configure Putty the same way by doing this:
|
||||
|
||||
[arabic, start=0]
|
||||
. In the session section type batcave01.fedoraproject.org port 22
|
||||
. In Connection:Data enter your FAS_USERNAME
|
||||
. In Connection:Proxy add the proxy settings
|
||||
|
||||
____
|
||||
* ProxyHostname is bastion-iad01.fedoraproject.org
|
||||
* Port 22
|
||||
* Username FAS_USERNAME
|
||||
* Proxy Command plink %user@%proxyhost %host:%port
|
||||
____
|
||||
|
||||
[arabic, start=3]
|
||||
. In Connection:SSH:Auth remember to insert the same key file for
|
||||
authentication you have used on FAS profile
|
||||
|
||||
== SSH Agent forwarding
|
||||
|
||||
You should normally have:
|
||||
|
||||
....
|
||||
ForwardAgent no
|
||||
....
|
||||
|
||||
For Fedora hosts (this is the default in OpenSSH). You can override this
|
||||
on a per-session basis by using '-A' with ssh. SSH agents could be
|
||||
misused if you connect to a compromised host with forwarding on (the
|
||||
attacker can use your agent to authenticate them to anything you have
|
||||
access to as long as you are logged in). Additionally, if you do need
|
||||
SSH agent forwarding (say for copying files between machines), you
|
||||
should remember to logout as soon as you are done to not leave your
|
||||
agent exposed.
|
||||
|
||||
== Troubleshooting
|
||||
|
||||
* 'channel 0: open failed: administratively prohibited: open failed'
|
||||
+
|
||||
____
|
||||
If you receive this message for a machine proxied through bastion, then
|
||||
bastion was unable to connect to the host. This most likely means that
|
||||
tried to SSH to a nonexistent machine. You can debug this by trying to
|
||||
connect to that machine from bastion.
|
||||
____
|
||||
* {blank}
|
||||
+
|
||||
if your local username is different from the one registered in FAS,::
|
||||
please remember to set up a User variable (like above) where you
|
||||
specify your FAS username. If that's missing SSH will try to login by
|
||||
using your local username, thus it will fail.
|
||||
* {blank}
|
||||
+
|
||||
ssh -vv is very handy for debugging what sections are matching and::
|
||||
what are not.
|
||||
* {blank}
|
||||
+
|
||||
If you get access denied several times in a row, please consult with::
|
||||
#fedora-admin. If you try too many times with an invalid config your
|
||||
IP could be added to denyhosts.
|
||||
* {blank}
|
||||
+
|
||||
If you are running an OpenSSH version less than 5.4, then the -W::
|
||||
option is not available. In that case, use the following ProxyCommand
|
||||
line instead:
|
||||
+
|
||||
....
|
||||
ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p
|
||||
....
|
||||
Loading…
Add table
Add a link
Reference in a new issue