diff options
author | Lars Wirzenius <lwirzenius@wikimedia.org> | 2020-03-06 16:21:29 +0200 |
---|---|---|
committer | Lars Wirzenius <lwirzenius@wikimedia.org> | 2020-03-06 16:21:29 +0200 |
commit | d4acd873b02e7f0a2d2695309a3b2790fe12984e (patch) | |
tree | 697e23d0adcdb234c61f36d6c3d054565e6bdb49 /ssh-config.md | |
download | wmf-ssh-config-d4acd873b02e7f0a2d2695309a3b2790fe12984e.tar.gz |
Add: first version
Diffstat (limited to 'ssh-config.md')
-rw-r--r-- | ssh-config.md | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/ssh-config.md b/ssh-config.md new file mode 100644 index 0000000..96dc320 --- /dev/null +++ b/ssh-config.md @@ -0,0 +1,61 @@ +--- +title: SSH client config for WMF +author: Lars Wirzenius +bindings: ssh-config.yaml +functions: ssh-config.py +... + +# Introduction + +I need to access certain servers for my work at WMF using SSH. For +this to work, I need an SSH client config that uses the right SSH keys +and routes access via a "bastion" server. This document has acceptance +criteria for my config. + +My configuation is based on the one [on +wikitech](https://wikitech.wikimedia.org/wiki/Production_access#Setting_up_your_SSH_config): + +~~~ +# Configure the initial connection to the bastion host, with the one HostName closest to you +Host bast + User your_username_here + HostName bast1002.wikimedia.org + IdentityFile ~/.ssh/your_production_ssh_key + ForwardAgent no + IdentitiesOnly yes + +# Proxy all connections to internal servers through the bastion host +Host *.wmnet + User your_username_here + ProxyCommand ssh -W %h:%p bast + IdentityFile ~/.ssh/your_production_ssh_key + ForwardAgent no + IdentitiesOnly yes +~~~ + +# Acceptance criteria + +For my work I need to access production servers. Most of them don't +allow direct SSH access and I need to go through a bastion server. + +There are also two keys: a "lab" key and a "production" key. The SSH +config ensures the right key is used. + +## Bastion access + +This scenario ensures I can access the bastion host directly. + +~~~scenario +when I run ssh bast hostname +then the output matches /^bast\d+$/ +~~~ + +## Deployment server access + +This scenario ensures I can access the deployment host for running the +train. + +~~~scenario +when I run ssh deploy1001.eqiad.wmnet hostname +then the output matches /^deploy\d+$/ +~~~ |