SSH Access Infrastructure SOP
#fedora-admin or firstname.lastname@example.org
All IAD2 and VPN Fedora machines
Access via ssh to Fedora project machines.
This SOP contains information on how to setup access to fedoraproject.org servers via ssh from your client machines.
All access requires ssh (secure shell), using keys. See https://docs.fedoraproject.org/en-US/fedora/latest/system-administrators-guide/infrastructure-services/OpenSSH/ for more detailed information on OpenSSH.
Note that this SOP has nothing to do with actually gaining access to specific machines. For that you MUST be in the correct group for shell access to that machine. This SOP simply describes the process once you do have valid and appropriate shell access to a machine.
Generate a ssh keypair on your local machine if you don’t already have one. run: 'ssh-keygen -t ed25519' Make sure you enter a strong passphrase you can remember or have stored in a password manager.
Setup your local client ssh config
(Or use any text editor you are comfortable with)
This file, and any keys, need to be mode 600, or you will get a "Bad owner or permissions" error. The .ssh directory must be mode 700.
then, add the following contents to that text file:
Host bastion.fedoraproject.org HostName bastion.fedoraproject.org User FAS_USERNAME (all lowercase) ProxyCommand none ForwardAgent no Host *.iad2.fedoraproject.org *.qa.fedoraproject.org 10.3.160.* 10.3.161.* 10.3.163.* 10.3.165.* 10.3.167.* 10.3.171.* *.vpn.fedoraproject.org ProxyCommand ssh -W %h:%p bastion.fedoraproject.org Host batcave01 HostName %h.iad2.fedoraproject.org
Note that there are 2 bastion servers: bastion01.fedoraproject.org and bastion02.fedoraproject.org. The 'bastion.fedoraproject.org' name should match whichever one is primary at any time. If for some reason you get connection refused or unreachable messages from it, you can manually change the above to specifically point to bastion01 or bastion02. Normally this should not be needed.
Setup the fedora infrastructure ssh hostkey certificate authority:
Download https://admin.fedoraproject.org/ssh_known_hosts and add it to (or create if it does not yet exist) a ~/.ssh/known_hosts file.
This tells OpenSSH to trust any host keys that are signed with the fedora infrastructure ssh certificate authority. This allows you to know when you login to a machine that it’s not been replaced or tampered with.
You can configure Putty the same way by doing this:
In the session section type batcave01.fedoraproject.org port 22
In Connection:Data enter your FAS_USERNAME
In Connection:Proxy add the proxy settings
ProxyHostname is bastion-iad01.fedoraproject.org
plink %user@%proxyhost %host:%port
In Connection:SSH:Auth remember to insert the same key file for authentication you have used on FAS profile
You can use openssh from any terminal to access machines you are granted access to:
It’s important to use the fully qualified domain name of the host you are trying to access so that the certificate matches correctly. Otherwise you may get a notice that the ssh host key is unknown.
You should normally have:
For Fedora hosts (this is the default in OpenSSH). You can override this on a per-session basis by using '-A' with ssh. SSH agents could be misused if you connect to a compromised host with forwarding on (the attacker can use your agent to authenticate them to anything you have access to as long as you are logged in). Additionally, if you do need SSH agent forwarding (say for copying files between machines), you should remember to logout as soon as you are done to not leave your agent exposed.
'channel 0: open failed: administratively prohibited: open failed'
If you receive this message for a machine proxied through bastion, then bastion was unable to connect to the host. This most likely means that tried to SSH to a nonexistent machine. You can debug this by trying to connect to that machine from bastion.
if your local username is different from the one registered in FAS, please remember to set up a User variable (like above) where you specify your FAS username. If that’s missing SSH will try to login by using your local username, thus it will fail.
ssh -vvis very handy for debugging what sections are matching and what are not.
If you get access denied several times in a row, please consult with #fedora-admin.
If you are running an OpenSSH version less than 5.4, then the -W option is not available. In that case, use the following ProxyCommand line instead:
ProxyCommand ssh -q bastion.fedoraproject.org exec nc %h %p
ProxyCommand configures OpenSSH to use your fas username to access bastion.fedoraproject.org directly, and then in turn to use bastion.fedoraproject.org as a proxy to all the other listed hosts.
A connection is established to the bastion host:
+-------+ +--------------+ | you | ---ssh---> | bastion host | +-------+ +--------------+
Your client runs the proxy command on the bastion server to connect to the target:
+--------------+ +--------+ | bastion host | -------> | server | +--------------+ +--------+
Your client then connects through the Bastion and reaches the target server:
+-----+ +--------------+ +--------+ | you | | bastion host | | server | | | ===ssh=over=bastion============================> | | +-----+ +--------------+ +--------+
Want to help? Learn how to contribute to Fedora Docs ›