It seems that folks have trouble with gaining SSH access and would appreciate improved documentation. Some notes taken that show examples of this trouble:
Notes from Zareen, found at https://wikitech.wikimedia.org/wiki/Production_shell_access#Other_tips:
(Note from Dan: this seems quite painful, we should see if there are any unnecessary steps).
- Follow Request Access steps: https://wikitech.wikimedia.org/wiki/Production_shell_access#Requesting_access
- Sample ticket: https://phabricator.wikimedia.org/T149211
- Access groups: https://wikitech.wikimedia.org/wiki/Analytics/Data_access#Production_access
- To create SSH keys follow steps 1 and 2: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2
- Give WMF the public key
- Once the ticket has been resolved, create a config file under ~/.ssh on your laptop (if it doesn’t exist already)
- Copy and paste this into config file (edit User and IdentityFile - only provide path to private key, don’t actually paste private key) and save
Host bast1001.wikimedia.org # Direct connection for the bastion host ProxyCommand none ControlMaster auto Host *.wikimedia.org *.wmnet !gerrit.wikimedia.org !git-ssh.wikimedia.org User your_username_here # Everything else goes via bastion acting as a proxy ProxyCommand ssh -a -W %h:%p bast1001.wikimedia.org # Do not offer other identities loaded in ssh-agent IdentitiesOnly yes IdentityFile ~/.ssh/your_production_ssh_key
- https://wikitech.wikimedia.org/wiki/Production_shell_access#SSH_configuration
- ssh bast1001.wikimedia.org into terminal
- You will be prompted to enter your ssh password (if there is one)
- Now you are in the bastion server, but still need to connect to the access groups
- Exit bastion
- Go back to config file on your laptop and copy and paste (edit User and IdentityFile) and save (this may be different for different access groups, for example stat1002.eqiad.wmnet needs the Host *.eqiad.wmnet configurations but another access group may require different host configurations) :
## Internal Zones Host *.wmnet User your_username_here IdentitiesOnly yes IdentityFile ~/.ssh/your_production_ssh_key