5.8 KiB
5.8 KiB
This config covers automatic ssh gateway selection and recursive porxy jumping as of April 2020 for all PSI networks I know about.
Operating principles
- The match directives select the gateway to use. As the config is used for contacting gateways as well, recursion is built in
- The control directives make it so that a second connection to a host uses the active socket and does not require authentication. Especially useful for wmgt with the RSA login
- Default username specified in case it differens from the AD user
- Identity file specifies the CA signed key
Following config works but makes the establishment of ssh connections SUPER slow !!!!
## Network matches, exclusions at the beginning
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '^(129\.129\.194\.98|129\.129\.190\.25|129\.129\.146\.12[1357]|129\.129\.146\.119|129\.129\.146\.15[45]|129\.129\.146\.20)'| grep -qE '^(10\.129\.1[69]0\.|10\.33\.120\.|172\.24\.5\.|192\.33\.12[07]\.|192\.168\.[18]\.|192\.168\.13\.|192\.168\.71\.|192\.33\.126\.[34]|129\.129\.146\.|129\.129\.15[078]\.|129\.129\.160\.|129\.129\.18[89]\.|129\.129\.19[045]\.|129\.129\.230\.|129\.129\.24[01]\.|192\.33\.126\.|172\.24\.6|129\.129\.95\.)'"
ProxyJump wmgt01
Match exec "host %h | cut -d ' ' -f 4 |grep -vE '(172\.24\.6\.34)'| grep -qE '^(129\.129\.8[789]\.|172\.24\.6\.|172\.24\.52\.|172\.24\.42\.)'"
ProxyJump cptgate01.psi.ch
Match exec "host %h | cut -d ' ' -f 4 |grep -qE '(172\.23\.9[89]\.)'"
ProxyJump esi-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(172\.20\.3\.)'"
ProxyJump sls-gw.psi.ch
## gw excluded from the wmgt01 batch
Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(172\.21\.1[012]\.)'"
ProxyJump fin-gw.psi.ch
## gw excluded from the wmgt01 batch
Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(172\.21\.70\.)'"
ProxyJump trfcb-gw.psi.ch
## gw excluded from the wmgt01 batch
Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(172\.25\.11\.|172\.25\.60\.)'"
ProxyJump proscan-gw.psi.ch
## gw excluded from the wmgt01 batch
Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(172\.19\.10\.|172\.22\.120\.)'"
ProxyJump hipa-gw.psi.ch
## gw excluded from the wmgt01 batch
Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(129\.129\.242\.)'"
ProxyJump saresa-gw.psi.ch
## gw excluded from the wmgt01 batch
Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(129\.129\.243\.)'"
ProxyJump saresb-gw.psi.ch
## gw excluded from the wmgt01 batch
# jump host doesn't exist ???
#Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(129\.129\.242\.)'"
#ProxyJump sls-proscan.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(172\.26\.[08]\.|172\.26\.16\.|172\.26\.24\.|172\.26\.32\.|172\.26\.40\.|172\.26\.110\.|172\.26\.120\.)'"
ProxyJump sf-gw.psi.ch
## gw excluded from the wmgt01 batch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.98\.12)' | grep -qE '^(129\.129\.98\.)'"
ProxyJump x01dc-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.99\.12)' | grep -qE '^(129\.129\.99\.)'"
ProxyJump x02da-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.101\.12)' | grep -qE '^(129\.129\.101\.)'"
ProxyJump x03ma-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.102\.12)' | grep -qE '^(129\.129\.102\.)'"
ProxyJump x03da-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.104\.12)' | grep -qE '^(129\.129\.104\.)'"
ProxyJump x04sa-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.105\.12)' | grep -qE '^(129\.129\.105\.)'"
ProxyJump x04db-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.106\.12)' | grep -qE '^(129\.129\.106\.)'"
ProxyJump x05la-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.107\.12)' | grep -qE '^(129\.129\.107\.)'"
ProxyJump x05da-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.109\.12)' | grep -qE '^(129\.129\.109\.)'"
ProxyJump x06sa-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.110\.12)' | grep -qE '^(129\.129\.110\.)'"
ProxyJump x06da-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.126\.12)' | grep -qE '^(129\.129\.126\.)'"
ProxyJump x06mx-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.112\.12)' | grep -qE '^(129\.129\.112\.)'"
ProxyJump x07ma-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.113\.12)' | grep -qE '^(129\.129\.113\.)'"
ProxyJump x07da-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.116\.12)' | grep -qE '^(129\.129\.116\.)'"
ProxyJump x09lb-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.117\.12)' | grep -qE '^(129\.129\.117\.)'"
ProxyJump x09la-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.118\.12)' | grep -qE '^(129\.129\.118\.)'"
ProxyJump x10sa-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.119\.12)' | grep -qE '^(129\.129\.119\.)'"
ProxyJump x10da-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.121\.12)' | grep -qE '^(129\.129\.121\.)'"
ProxyJump x11ma-gw.psi.ch
Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.122\.12)' | grep -qE '^(129\.129\.122\.)'"
ProxyJump x12sa-gw.psi.ch
Host *
User klar_t
IdentityFile ~/.ssh/id_rsa-cert.pub
PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p