blob: 96dc32080c2dc43c9f651e4a678373d0e6a2d03a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
---
title: SSH client config for WMF
author: Lars Wirzenius
bindings: ssh-config.yaml
functions: ssh-config.py
...
# Introduction
I need to access certain servers for my work at WMF using SSH. For
this to work, I need an SSH client config that uses the right SSH keys
and routes access via a "bastion" server. This document has acceptance
criteria for my config.
My configuation is based on the one [on
wikitech](https://wikitech.wikimedia.org/wiki/Production_access#Setting_up_your_SSH_config):
~~~
# Configure the initial connection to the bastion host, with the one HostName closest to you
Host bast
User your_username_here
HostName bast1002.wikimedia.org
IdentityFile ~/.ssh/your_production_ssh_key
ForwardAgent no
IdentitiesOnly yes
# Proxy all connections to internal servers through the bastion host
Host *.wmnet
User your_username_here
ProxyCommand ssh -W %h:%p bast
IdentityFile ~/.ssh/your_production_ssh_key
ForwardAgent no
IdentitiesOnly yes
~~~
# Acceptance criteria
For my work I need to access production servers. Most of them don't
allow direct SSH access and I need to go through a bastion server.
There are also two keys: a "lab" key and a "production" key. The SSH
config ensures the right key is used.
## Bastion access
This scenario ensures I can access the bastion host directly.
~~~scenario
when I run ssh bast hostname
then the output matches /^bast\d+$/
~~~
## Deployment server access
This scenario ensures I can access the deployment host for running the
train.
~~~scenario
when I run ssh deploy1001.eqiad.wmnet hostname
then the output matches /^deploy\d+$/
~~~
|