diff --git a/infrastructure-guide/infrastructure_systems.md b/infrastructure-guide/infrastructure_systems.md index 34ab31f4..e837b40c 100644 --- a/infrastructure-guide/infrastructure_systems.md +++ b/infrastructure-guide/infrastructure_systems.md @@ -47,14 +47,9 @@ __Enduser Systems__ * [Grant new person right for bob/sysdb](newbob) * [How to reinstall a machine](howtoreinstall) -## Tools - -* [SSH config](sshconf) - ## HTTPS Certificates * [HTTPS Certificates](https://linux.psi.ch/admin-guide/operations/certificates.html) - ## SSH Certificates / Signing Public User Keys Generate a ssh key e.g. as follows: diff --git a/infrastructure-guide/sshconf.md b/infrastructure-guide/sshconf.md deleted file mode 100644 index 3a70adf6..00000000 --- a/infrastructure-guide/sshconf.md +++ /dev/null @@ -1,124 +0,0 @@ -This config covers automatic ssh gateway selection and recursive porxy jumping as of April 2020 for all PSI networks I know about. - -**Operating principles** - -* The match directives select the gateway to use. As the config is used for contacting gateways as well, recursion is built in -* The control directives make it so that a second connection to a host uses the active socket and does not require authentication. Especially useful for wmgt with the RSA login -* Default username specified in case it differens from the AD user -* Identity file specifies the CA signed key - -```{note} -Following config works but makes the establishment of ssh connections SUPER slow !!!! -``` - -``` -## Network matches, exclusions at the beginning -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '^(129\.129\.194\.98|129\.129\.190\.25|129\.129\.146\.12[1357]|129\.129\.146\.119|129\.129\.146\.15[45]|129\.129\.146\.20)'| grep -qE '^(10\.129\.1[69]0\.|10\.33\.120\.|172\.24\.5\.|192\.33\.12[07]\.|192\.168\.[18]\.|192\.168\.13\.|192\.168\.71\.|192\.33\.126\.[34]|129\.129\.146\.|129\.129\.15[078]\.|129\.129\.160\.|129\.129\.18[89]\.|129\.129\.19[045]\.|129\.129\.230\.|129\.129\.24[01]\.|192\.33\.126\.|172\.24\.6|129\.129\.95\.)'" -ProxyJump wmgt01 - -Match exec "host %h | cut -d ' ' -f 4 |grep -vE '(172\.24\.6\.34)'| grep -qE '^(129\.129\.8[789]\.|172\.24\.6\.|172\.24\.52\.|172\.24\.42\.)'" -ProxyJump cptgate01.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 |grep -qE '(172\.23\.9[89]\.)'" -ProxyJump esi-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(172\.20\.3\.)'" -ProxyJump sls-gw.psi.ch -## gw excluded from the wmgt01 batch - -Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(172\.21\.1[012]\.)'" -ProxyJump fin-gw.psi.ch -## gw excluded from the wmgt01 batch - -Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(172\.21\.70\.)'" -ProxyJump trfcb-gw.psi.ch -## gw excluded from the wmgt01 batch - -Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(172\.25\.11\.|172\.25\.60\.)'" -ProxyJump proscan-gw.psi.ch -## gw excluded from the wmgt01 batch - -Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(172\.19\.10\.|172\.22\.120\.)'" -ProxyJump hipa-gw.psi.ch -## gw excluded from the wmgt01 batch - -Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(129\.129\.242\.)'" -ProxyJump saresa-gw.psi.ch -## gw excluded from the wmgt01 batch - -Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(129\.129\.243\.)'" -ProxyJump saresb-gw.psi.ch -## gw excluded from the wmgt01 batch - -# jump host doesn't exist ??? -#Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(129\.129\.242\.)'" -#ProxyJump sls-proscan.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -qE '^(172\.26\.[08]\.|172\.26\.16\.|172\.26\.24\.|172\.26\.32\.|172\.26\.40\.|172\.26\.110\.|172\.26\.120\.)'" -ProxyJump sf-gw.psi.ch -## gw excluded from the wmgt01 batch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.98\.12)' | grep -qE '^(129\.129\.98\.)'" -ProxyJump x01dc-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.99\.12)' | grep -qE '^(129\.129\.99\.)'" -ProxyJump x02da-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.101\.12)' | grep -qE '^(129\.129\.101\.)'" -ProxyJump x03ma-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.102\.12)' | grep -qE '^(129\.129\.102\.)'" -ProxyJump x03da-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.104\.12)' | grep -qE '^(129\.129\.104\.)'" -ProxyJump x04sa-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.105\.12)' | grep -qE '^(129\.129\.105\.)'" -ProxyJump x04db-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.106\.12)' | grep -qE '^(129\.129\.106\.)'" -ProxyJump x05la-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.107\.12)' | grep -qE '^(129\.129\.107\.)'" -ProxyJump x05da-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.109\.12)' | grep -qE '^(129\.129\.109\.)'" -ProxyJump x06sa-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.110\.12)' | grep -qE '^(129\.129\.110\.)'" -ProxyJump x06da-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.126\.12)' | grep -qE '^(129\.129\.126\.)'" -ProxyJump x06mx-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.112\.12)' | grep -qE '^(129\.129\.112\.)'" -ProxyJump x07ma-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.113\.12)' | grep -qE '^(129\.129\.113\.)'" -ProxyJump x07da-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.116\.12)' | grep -qE '^(129\.129\.116\.)'" -ProxyJump x09lb-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.117\.12)' | grep -qE '^(129\.129\.117\.)'" -ProxyJump x09la-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.118\.12)' | grep -qE '^(129\.129\.118\.)'" -ProxyJump x10sa-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.119\.12)' | grep -qE '^(129\.129\.119\.)'" -ProxyJump x10da-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.121\.12)' | grep -qE '^(129\.129\.121\.)'" -ProxyJump x11ma-gw.psi.ch - -Match exec "host %h | cut -d ' ' -f 4 | grep -vE '(129\.129\.122\.12)' | grep -qE '^(129\.129\.122\.)'" -ProxyJump x12sa-gw.psi.ch - -Host * -User klar_t -IdentityFile ~/.ssh/id_rsa-cert.pub -PubkeyAcceptedKeyTypes ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com,ssh-dss,ssh-dss-cert-v01@openssh.com -ControlMaster auto -ControlPath ~/.ssh/cm_socket/%r@%h:%p -``` \ No newline at end of file