From d5a4761208a9f3c625a25426e5f6173be650b90a Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mar 31 2023 18:10:59 +0000 Subject: modernize sshaccess Signed-off-by: Kevin Fenzi --- diff --git a/modules/sysadmin_guide/pages/sshaccess.adoc b/modules/sysadmin_guide/pages/sshaccess.adoc index fb5747e..070dc46 100644 --- a/modules/sysadmin_guide/pages/sshaccess.adoc +++ b/modules/sysadmin_guide/pages/sshaccess.adoc @@ -16,7 +16,7 @@ Owner:: Contact:: #fedora-admin or admin@fedoraproject.org Location:: - IAD2 + All Servers:: All IAD2 and VPN Fedora machines Purpose:: @@ -24,69 +24,68 @@ Purpose:: == Introduction -This page will contain some useful instructions about how you can safely -login into Fedora IAD2 machines successfully using a public key -authentication. As of 2011-05-27, all machines require a SSH key to -access. Password authentication will no longer work. Note that this SOP -has nothing to do with actually gaining access to specific machines. For -that you MUST be in the correct group for shell access to that machine. -This SOP simply describes the process once you do have valid and -appropriate shell access to a machine. +This SOP contains information on how to setup access to +fedoraproject.org servers via ssh from your client machines. + +All access requires ssh (secure shell), using keys. +See +https://docs.fedoraproject.org/en-US/fedora/latest/system-administrators-guide/infrastructure-services/OpenSSH/ +for more detailed information on OpenSSH. + +Note that this SOP has nothing to do with actually gaining access +to specific machines. For that you MUST be in the correct group +for shell access to that machine. This SOP simply describes the +process once you do have valid and appropriate shell access to a machine. == SSH configuration -First of all: (on your local machine): +1. Generate a ssh keypair on your local machine if you don't already have one. +run: 'ssh-keygen -t ed25519' +Make sure you enter a strong passphrase you can remember or have stored in a password manager. + +2. Setup your local client ssh config .... vi ~/.ssh/config .... +(Or use any text editor you are comfortable with) + [NOTE] ==== -This file, and any keys, need to be chmod 600, or you will get a "Bad +This file, and any keys, need to be mode 600, or you will get a "Bad owner or permissions" error. The .ssh directory must be mode 700. ==== -then, add the following: +then, add the following contents to that text file: .... Host bastion.fedoraproject.org - HostName bastion-iad01.fedoraproject.org + HostName bastion.fedoraproject.org User FAS_USERNAME (all lowercase) ProxyCommand none ForwardAgent no Host *.iad2.fedoraproject.org *.qa.fedoraproject.org 10.3.160.* 10.3.161.* 10.3.163.* 10.3.165.* 10.3.167.* *.vpn.fedoraproject.org batcave01 - User FAS_USERNAME (all lowercase) ProxyCommand ssh -W %h:%p bastion.fedoraproject.org .... -How ProxyCommand works? +Note that there are 2 bastion servers: bastion01.fedoraproject.org +and bastion02.fedoraproject.org. The 'bastion.fedoraproject.org' name +should match whichever one is primary at any time. If for some reason +you get connection refused or unreachable messages from it, you can manually +change the above to specifically point to bastion01 or bastion02. +Normally this should not be needed. -A connection is established to the bastion host: +3. Setup the fedora infrastructure ssh hostkey certificate authority: -.... -+-------+ +--------------+ -| you | ---ssh---> | bastion host | -+-------+ +--------------+ -.... +download https://admin.fedoraproject.org/ssh_known_hosts +and add it to (or create if it does not yet exist) a +~/.ssh/known_hosts file. -Bastion host establish a connction to the target server: - -.... -+--------------+ +--------+ -| bastion host | -------> | server | -+--------------+ +--------+ -.... - -Your client then connects through the Bastion and reaches the target -server: - -.... -+-----+ +--------------+ +--------+ -| you | | bastion host | | server | -| | ===ssh=over=bastion============================> | | -+-----+ +--------------+ +--------+ -.... +This tells OpenSSH to trust any host keys that are signed with +the fedora infrastructure ssh certificate authority. This allows +you to know when you login to a machine that it's not been +replaced or tampered with. == PuTTY SSH configuration @@ -108,6 +107,16 @@ ____ . In Connection:SSH:Auth remember to insert the same key file for authentication you have used on FAS profile +== Using OpenSSH + +You can use openssh from any terminal to access machines you are granted access to: + +'ssh batcave01.iad2.fedoraproject.org' + +It's important to use the fully qualified domain name of the host you are trying +to access so that the certificate matches correctly. Otherwise you may get a +notice that the ssh host key is unknown. + == SSH Agent forwarding You should normally have: @@ -142,8 +151,7 @@ using your local username, thus it will fail. * `ssh -vv` is very handy for debugging what sections are matching and what are not. * If you get access denied several times in a row, please consult with -#fedora-admin. If you try too many times with an invalid config your -IP could be added to denyhosts. +#fedora-admin. * If you are running an OpenSSH version less than 5.4, then the -W option is not available. In that case, use the following ProxyCommand line instead: @@ -151,3 +159,35 @@ line instead: .... ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p .... + +== How does ssh ProxyCommand work? + +ProxyCommand configures OpenSSH to use your fas username to access +bastion.fedoraproject.org directly, and then in turn to use +bastion.fedoraproject.org as a proxy to all the other listed +hosts. + +A connection is established to the bastion host: + +.... ++-------+ +--------------+ +| you | ---ssh---> | bastion host | ++-------+ +--------------+ +.... + +Your client runs the proxy command on the bastion server to connect to the target: + +.... ++--------------+ +--------+ +| bastion host | -------> | server | ++--------------+ +--------+ +.... + +Your client then connects through the Bastion and reaches the target server: + +.... ++-----+ +--------------+ +--------+ +| you | | bastion host | | server | +| | ===ssh=over=bastion============================> | | ++-----+ +--------------+ +--------+ +....