--- title: SSH client config for WMF author: Lars Wirzenius bindings: ssh-config.yaml functions: ssh-config.py ... # Introduction I need to access certain servers for my work at WMF using SSH. For this to work, I need an SSH client config that uses the right SSH keys and routes access via a "bastion" server. This document has acceptance criteria for my config. My configuration is based on the one [on wikitech](https://wikitech.wikimedia.org/wiki/Production_access#Setting_up_your_SSH_config): ~~~ # Configure the initial connection to the bastion host, with the one HostName closest to you Host bast User your_username_here HostName bast1002.wikimedia.org IdentityFile ~/.ssh/your_production_ssh_key ForwardAgent no IdentitiesOnly yes # Proxy all connections to internal servers through the bastion host Host *.wmnet User your_username_here ProxyCommand ssh -W %h:%p bast IdentityFile ~/.ssh/your_production_ssh_key ForwardAgent no IdentitiesOnly yes ~~~ # Acceptance criteria for WMF For my work I need to access production servers. Most of them don't allow direct SSH access and I need to go through a bastion server. There are also two keys: a "lab" key and a "production" key. The SSH config ensures the right key is used. ## Bastion access This scenario ensures I can access the bastion host directly. ~~~scenario when I run ssh bast hostname then the output matches /^bast\d+$/ ~~~ ## Deployment server access This scenario ensures I can access the deployment host for running the train. ~~~scenario when I run ssh deploy1001.eqiad.wmnet hostname then the output matches /^deploy\d+$/ ~~~ ## Continuous integration server access This scenario ensures I can access the server running CI. ~~~scenario when I run ssh contint1001.wikimedia.org hostname then the output matches /^contint1001$/ when I run ssh contint2001.wikimedia.org hostname then the output matches /^contint2001$/ ~~~ ## Gerrit access For Gerrit, we need more than just a simple ssh command. We need git. ~~~scenario when I run git clone ssh://gerrit.wikimedia.org/sandbox then the directory sandbox exists ~~~ # Acceptance criteria for personal use ## Localhost access I use Ansible to configure my laptop and it works over ssh to localhost. ~~~scenario when I run ssh localhost hostname then the output matches /^exolobe\d$/ ~~~ ## git.liw.fi access git.liw.fi runs Gitano, which has a handy whoami command. ~~~scenario when I run ssh git@git.liw.fi whoami then the output matches /User name:/ ~~~ ## gitlab.com access I have a personal gitlab.com account. I have a subplot repository there. NOTE: This scenario only checks that I can clone from there over ssh, not that do it with my personal ssh key. ~~~scenario when I run git clone ssh://git@gitlab.com/larswirzenius/subplot.git then the directory subplot exists ~~~ ## Backup server access I have two backup servers. Check access to both. ~~~scenario when I run ssh holywood2 hostname then the output matches /^holywood2$/ when I run ssh pergamum hostname then the output matches /^pergamum$/ ~~~