path: root/ssh-config.md

---
title: SSH client config for WMF
author: Lars Wirzenius
bindings: ssh-config.yaml
functions: ssh-config.py
...

# Introduction

I need to access certain servers for my work at WMF using SSH. For
this to work, I need an SSH client config that uses the right SSH keys
and routes access via a "bastion" server. This document has acceptance
criteria for my config.

My configuration is based on the one [on
wikitech](https://wikitech.wikimedia.org/wiki/Production_access#Setting_up_your_SSH_config):

~~~
# Configure the initial connection to the bastion host, with the one HostName closest to you
Host bast
    User your_username_here
    HostName bast1002.wikimedia.org
    IdentityFile ~/.ssh/your_production_ssh_key
    ForwardAgent no
    IdentitiesOnly yes

# Proxy all connections to internal servers through the bastion host
Host *.wmnet
    User your_username_here
    ProxyCommand ssh -W %h:%p bast
    IdentityFile ~/.ssh/your_production_ssh_key
    ForwardAgent no
    IdentitiesOnly yes
~~~

# Acceptance criteria for WMF

For my work I need to access production servers. Most of them don't
allow direct SSH access and I need to go through a bastion server.

There are also two keys: a "lab" key and a "production" key. The SSH
config ensures the right key is used.

## Bastion access

This scenario ensures I can access the bastion host directly.

~~~scenario
when I run ssh bast hostname
then the output matches /^bast\d+$/
~~~

## Deployment server access
 
This scenario ensures I can access the deployment host for running the
train.

~~~scenario
when I run ssh deploy1001.eqiad.wmnet hostname
then the output matches /^deploy\d+$/
~~~

## Continuous integration server access
 
This scenario ensures I can access the server running CI.

~~~scenario
when I run ssh contint1001.wikimedia.org hostname
then the output matches /^contint1001$/
when I run ssh contint2001.wikimedia.org hostname
then the output matches /^contint2001$/
~~~

## Beta access for scap releasing
 
This scenario ensures I can test scap on the beta cluster while
releasing Scap.

~~~scenario
when I run ssh deployment-deploy01.deployment-prep.eqiad.wmflabs hostname
then the output matches /^deployment-deploy01/
when I run ssh deployment-cumin02.deployment-prep.eqiad.wmflabs hostname
then the output matches /^deployment-cumin02/
~~~

## Gerrit access

For Gerrit, we need more than just a simple ssh command. We need git.

~~~scenario
when I run git clone ssh://gerrit.wikimedia.org/sandbox
then the directory sandbox exists
~~~

# Acceptance criteria for personal use

## Localhost access

I use Ansible to configure my laptop and it works over ssh to
localhost.

~~~scenario
when I run ssh localhost hostname
then the output matches /^exolobe\d$/
~~~

## git.liw.fi access

git.liw.fi runs Gitano, which has a handy whoami command.

~~~scenario
when I run ssh git@git.liw.fi whoami
then the output matches /User name:/
~~~

## gitlab.com access

I have a personal gitlab.com account. I have a subplot repository
there. 

NOTE: This scenario only checks that I can clone from there over ssh,
not that do it with my personal ssh key.

~~~scenario
when I run git clone ssh://git@gitlab.com/larswirzenius/subplot.git
then the directory subplot exists
~~~


## Backup server access

I have two remote backup servers.

~~~scenario
when I run ssh nalanda.liw.fi hostname
then the output matches /^nalanda$/

when I run ssh pergamum.geah.org hostname
then the output matches /^pergamum$/
~~~

## Accessing my home systems from the outside

I have a home router that's always on and can act as a jump host for
machines on my home network. This scenario checks I can access them.
This should be run while not on my home network.

~~~scenario
when I run ssh ext-valkama hostname
then the output matches /^valkama$/
~~~