diff --git a/_toc.yml b/_toc.yml index 52a59303..cb35b09f 100644 --- a/_toc.yml +++ b/_toc.yml @@ -154,8 +154,10 @@ chapters: - file: services-user-guide/ssh_gateways - file: services-user-guide/nx_nomachine - file: services-user-guide/gmgt + - file: services-user-guide/wmgt - file: services-admin-guide/index sections: + - file: services-admin-guide/wmgt - file: services-admin-guide/ssh_gateways - file: services-admin-guide/nx_nomachine diff --git a/services-admin-guide/wmgt.md b/services-admin-guide/wmgt.md new file mode 100644 index 00000000..3e05cda9 --- /dev/null +++ b/services-admin-guide/wmgt.md @@ -0,0 +1,20 @@ +# wmgt + +The wmgt service consists of 3 servers, wmgt01 / wmgt02 / wmgt03. +wmgt01/wmgt02 are hardware servers, wmgt03 is virtual. + +The locations of the hardware servers are: +wmgt01 - location datacenter west +wmgt02 - location datacenter __east__ + +Right now these systems are not Puppet managed! + +## User Management +User management is done via the AD group - svc-wmgt_users currently there is not automated approval workflow. Up to now Tobias Marx approved who is allowed to access wmgtXX except for users from ZPT. Those users are currently added without approval. + +We will change this workflow to a ServiceNow workflow. Tobias has to approve all users (without any exceptions) It would also be good if there would be a periodic review of the access list. + +# Responsibilities +Hardware responsibility is within the AIT Central Infrastructure group. This includes Hardware monitoring, replacement of broken hardware as well as information/planning for the hardware lifecycle. + +Operation of the service is within the responsiblity of Linux Core. diff --git a/services-user-guide/wmgt.md b/services-user-guide/wmgt.md new file mode 100644 index 00000000..4d6f3042 --- /dev/null +++ b/services-user-guide/wmgt.md @@ -0,0 +1,37 @@ +# wmgt + +The wmgt service provides SSH access to machines in various isolated networks. Access is protected by MFA. + +To use the service use the DNS alias __wmgt.psi.ch__. + +```bash +ssh @wmgt.psi.ch +``` + +To directly tunnel to a machine in a protected network to which wmgt gives access to you can use: + +```bash +ssh -J wmgt.psi.ch +``` + +If you need to connect through wmgt often, you can add following configuration to your `~/.ssh/config` file. This will give you a persistent connection to wmgt.psi.ch that can be (re)used for multiple connections. (this way you only have to authenticate once with MFA) + +``` +Host wmgt-jumpost + HostName wmgt.psi.ch + ControlMaster auto + ControlPath ~/.ssh/mux-%r@%h:%p + ControlPersist 8h +``` + +Afterwards you can use + +```bash +ssh -J wmgt-jumpost +``` + +to establish the connection. + +```{note} +Be aware, if you are switching networks this persistent connection might get screwed up. In that case you have to find the connection via `ps -ef` and kill it with the `kill` command. +```