diff --git a/modules/sysadmin_guide/pages/sshaccess.adoc b/modules/sysadmin_guide/pages/sshaccess.adoc index 9a5a7a1..c151808 100644 --- a/modules/sysadmin_guide/pages/sshaccess.adoc +++ b/modules/sysadmin_guide/pages/sshaccess.adoc @@ -42,6 +42,8 @@ process once you do have valid and appropriate shell access to a machine. 1. Generate a ssh keypair on your local machine if you don't already have one. run: 'ssh-keygen -t ed25519' Make sure you enter a strong passphrase you can remember or have stored in a password manager. +If you are only going to connect to RHEL9+ and Fedora machines, you can also use +a ecdsa_sk key with a FIDO2 hardware device. 2. Setup your local client ssh config + @@ -67,7 +69,7 @@ Host bastion.fedoraproject.org ForwardAgent no VerifyHostKeyDNS yes Host *.iad2.fedoraproject.org *.qa.fedoraproject.org 10.3.160.* 10.3.161.* 10.3.163.* 10.3.165.* 10.3.167.* 10.3.171.* *.vpn.fedoraproject.org - ProxyCommand ssh -W %h:%p bastion.fedoraproject.org + ProxyJump bastion.fedoraproject.org Host batcave01 HostName %h.iad2.fedoraproject.org .... @@ -163,12 +165,13 @@ line instead: ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p .... -== How does ssh ProxyCommand work? +== How does ssh ProxyJump work? -ProxyCommand configures OpenSSH to use your fas username to access -bastion.fedoraproject.org directly, and then in turn to use -bastion.fedoraproject.org as a proxy to all the other listed -hosts. +The ProxyJump command creates a normal ssh connection using your +fas username to connect to bastion.fedoraproject.org. Then, it forwards +a port over this connection from your client directly to the remote +host. This second connection is a fully encrypted ssh connection, +meaning the bastion host cannot see anything going over it. A connection is established to the bastion host: @@ -178,14 +181,6 @@ A connection is established to the bastion host: +-------+ +--------------+ .... -Your client runs the proxy command on the bastion server to connect to the target: - -.... -+--------------+ +--------+ -| bastion host | -------> | server | -+--------------+ +--------+ -.... - Your client then connects through the Bastion and reaches the target server: ....