Page MenuHomePhabricator
Paste P281

Wikimedia ssh client configuration via ProxyCommand
ActivePublic

Authored by hashar on Feb 11 2015, 4:04 PM.
Tags
None
Subscribers
Tokens
"Haypence" token, awarded by hashar.
# Content of hashar ~/.ssh/config
# Default key:
IdentityFile ~/.ssh/general_key.pub
# Production realms
Host *.wikimedia.org *.wmnet
# Key dedicated to Wikimedia production
IdentityFile ~/.ssh/wmf_id_rsa.pub
IdentitiesOnly yes
StrictHostKeyChecking yes
# I fetch the list of known hosts from tin. In my bashrc:
#
# function update-ssh-known-hosts () {
# echo "Updating ssh known hosts from tin.eqiad.wmnet"
# scp tin.eqiad.wmnet:/etc/ssh/ssh_known_hosts ~/.ssh/known_hosts-wmf
# }
UserKnownHostsFile ~/.ssh/known_hosts-wmf
# My laptop user is something else
User hashar
# For wmf labs
Host *.wmflabs.org
# Key dedicated to wmflabs
IdentityFile ~/.ssh/labs_id_rsa.pub
IdentitiesOnly yes
# My laptop user is something else
User hashar
Host *.wmflabs
# My laptop user is something else
User hashar
# Create a fake host in ssh
Host bastion.eqiad.wmflabs
# Real hostname
Hostname bastion2.wmflabs.org
ProxyCommand none
# Create fake local alias for ssh, let me use: ssh deployment-bastion.eqiad.wmflabs
# the hostname will be recognized by the labs bastion
Host *.eqiad.wmflabs
# Magic command, connect to the labs bastion and forward to whatever host I have asked
ProxyCommand ssh -a -W %h:%p bastion.eqiad.wmflabs
# Similar configuration for production hosts.
# gallium has a public IP but needs to be accessed via a bastion
#
# I can do:
# ssh mw1001.eqiad.wmnet
# ssh on my laptop will connect to bast1001 and from there ask to connect to mw1001.eqiad.wmnet
# which is known to the DNS server there.
Host *.eqiad.wmnet people.wikimedia.org gallium.wikimedia.org
# EQIAD bastion
ProxyCommand ssh -a -W %h:%p bast1001.wikimedia.org

Event Timeline

hashar edited the content of this paste. (Show Details)Feb 11 2015, 4:04 PM
hashar changed the title of this paste from untitled to ssh configuration.
hashar updated the paste's language from autodetect to autodetect.
hashar changed the edit policy from "All Users" to "hashar (Antoine "hashar" Musso (WMF))".
hashar edited the content of this paste. (Show Details)Feb 11 2015, 4:07 PM
hashar changed the title of this paste from ssh configuration to Wikimedia ssh client configuration via ProxyCommand.Mar 2 2015, 9:31 AM