--- title: SSH client config for WMF author: Lars Wirzenius bindings: ssh-config.yaml functions: ssh-config.py ... # Introduction I need to access certain servers for my work at WMF using SSH. For this to work, I need an SSH client config that uses the right SSH keys and routes access via a "bastion" server. This document has acceptance criteria for my config. My configuration is based on the one [on wikitech](https://wikitech.wikimedia.org/wiki/Production_access#Setting_up_your_SSH_config): ~~~ # Configure the initial connection to the bastion host, with the one HostName closest to you Host bast User your_username_here HostName bast1002.wikimedia.org IdentityFile ~/.ssh/your_production_ssh_key ForwardAgent no IdentitiesOnly yes # Proxy all connections to internal servers through the bastion host Host *.wmnet User your_username_here ProxyCommand ssh -W %h:%p bast IdentityFile ~/.ssh/your_production_ssh_key ForwardAgent no IdentitiesOnly yes ~~~ # Acceptance criteria for WMF For my work I need to access production servers. Most of them don't allow direct SSH access and I need to go through a bastion server. There are also two keys: a "lab" key and a "production" key. The SSH config ensures the right key is used. ## Bastion access This scenario ensures I can access the bastion host directly. ~~~scenario when I run ssh bast hostname then the output matches /^bast\d+$/ ~~~ ## Deployment server access This scenario ensures I can access the deployment host for running the train. ~~~scenario when I run ssh deploy1001.eqiad.wmnet hostname then the output matches /^deploy\d+$/ ~~~ ## Continuous integration server access This scenario ensures I can access the server running CI. ~~~scenario when I run ssh contint1001.wikimedia.org hostname then the output matches /^contint1001$/ when I run ssh contint2001.wikimedia.org hostname then the output matches /^contint2001$/ ~~~ ## Beta access for scap releasing This scenario ensures I can test scap on the beta cluster while releasing Scap. ~~~scenario when I run ssh deployment-deploy01.deployment-prep.eqiad.wmflabs hostname then the output matches /^deployment-deploy01/ when I run ssh deployment-cumin02.deployment-prep.eqiad.wmflabs hostname then the output matches /^deployment-cumin02/ ~~~ ## Gerrit access For Gerrit, we need more than just a simple ssh command. We need git. ~~~scenario when I run git clone ssh://gerrit.wikimedia.org/sandbox then the directory sandbox exists ~~~ # Acceptance criteria for personal use ## Localhost access I use Ansible to configure my laptop and it works over ssh to localhost. ~~~scenario when I run ssh localhost hostname then the output matches /^exolobe\d$/ ~~~ ## git.liw.fi access git.liw.fi runs Gitano, which has a handy whoami command. ~~~scenario when I run ssh git@git.liw.fi whoami then the output matches /User name:/ ~~~ ## gitlab.com access I have a personal gitlab.com account. I have a subplot repository there. NOTE: This scenario only checks that I can clone from there over ssh, not that do it with my personal ssh key. ~~~scenario when I run git clone ssh://git@gitlab.com/larswirzenius/subplot.git then the directory subplot exists ~~~ ## Backup server access I have two remote backup servers. ~~~scenario when I run ssh nalanda.liw.fi hostname then the output matches /^nalanda$/ when I run ssh pergamum.geah.org hostname then the output matches /^pergamum$/ ~~~ ## Accessing my home systems from the outside I have a home router that's always on and can act as a jump host for machines on my home network. This scenario checks I can access them. This should be run while not on my home network. ~~~scenario when I run ssh ext-valkama hostname then the output matches /^valkama$/ ~~~