Add: first version

1 files changed, 61 insertions, 0 deletions

diff --git a/ssh-config.md b/ssh-config.md
new file mode 100644
index 0000000..96dc320
--- /dev/null
+++ b/ssh-config.md
@@ -0,0 +1,61 @@
+---
+title: SSH client config for WMF
+author: Lars Wirzenius
+bindings: ssh-config.yaml
+functions: ssh-config.py
+...
+
+# Introduction
+
+I need to access certain servers for my work at WMF using SSH. For
+this to work, I need an SSH client config that uses the right SSH keys
+and routes access via a "bastion" server. This document has acceptance
+criteria for my config.
+
+My configuation is based on the one [on
+wikitech](https://wikitech.wikimedia.org/wiki/Production_access#Setting_up_your_SSH_config):
+
+~~~
+# Configure the initial connection to the bastion host, with the one HostName closest to you
+Host bast
+    User your_username_here
+    HostName bast1002.wikimedia.org
+    IdentityFile ~/.ssh/your_production_ssh_key
+    ForwardAgent no
+    IdentitiesOnly yes
+
+# Proxy all connections to internal servers through the bastion host
+Host *.wmnet
+    User your_username_here
+    ProxyCommand ssh -W %h:%p bast
+    IdentityFile ~/.ssh/your_production_ssh_key
+    ForwardAgent no
+    IdentitiesOnly yes
+~~~
+
+# Acceptance criteria
+
+For my work I need to access production servers. Most of them don't
+allow direct SSH access and I need to go through a bastion server.
+
+There are also two keys: a "lab" key and a "production" key. The SSH
+config ensures the right key is used.
+
+## Bastion access
+
+This scenario ensures I can access the bastion host directly.
+
+~~~scenario
+when I run ssh bast hostname
+then the output matches /^bast\d+$/
+~~~
+
+## Deployment server access
+ 
+This scenario ensures I can access the deployment host for running the
+train.
+
+~~~scenario
+when I run ssh deploy1001.eqiad.wmnet hostname
+then the output matches /^deploy\d+$/
+~~~