Fundraising/techops/docs/frack ssh access

From Wikitech

To access fundraising machines, you will need an ssh key, a specialized ssh config file, and a yubikey.

Access Request

Before any access can be granted, an access request needs to be opened in phabricator with a fundraising-tech-ops tag on it. You can follow the procedure on the Fundraising Access Requests page.

This access request should include any specific hosts required and what type of access is needed (ie: ssh access, database access, civi access).

Yubikey Activation

Once you have a yubikey, we need to collect the public side of it in order to authorize it in our systems.

You can obtain the ID by opening a text editor and then repeatedly pressing the button on the yubikey. You will notice there are 12 characters at the beginning of the output that don't change. Those 12 characters are the public side of the key that you will need to provide.

Once you have the public side, you can paste it into your access request ticket or ask fr-tech-ops how they would like you to provide it.


Generating your SSH key

First, you'll have to generate a new SSH keypair -- do not reuse an existing key which has been used anywhere else. GitHub has a good help page (note that you can switch between Mac, Windows, and Linux documentation right under the title).

To generate an EdDSA key, do the following commands

  1. Open Terminal
  2. Paste the text below substituting your Wikimedia email address
    ssh-keygen -t ed25519 -C ""
  3. When you're prompted to "Enter a file in which to save the key," type /Users/your_username/.ssh/fr_id_ed25519 and press Enter. Please make sure to substitute "your_username" with the username on your local machine. This will specify a fundraising specific key name.
    > Enter a file in which to save the key (/Users/your_username/.ssh/id_ed25519): /Users/your_username/.ssh/fr_id_ed25519
  4. At the prompt, type a secure passphrase.
    > Enter passphrase (empty for no passphrase): [Type a passphrase]
    > Enter same passphrase again: [Type passphrase again]

Once your new SSH key is set up, you will need to provide the contents of that file to fundraising-tech-ops so they can get it where it needs to go. You can get the contents by using the following command in a Terminal window:

cat ~/.ssh/

SSH Config file

Make a new config file in your ssh directory (this command will have no output):

touch ~/.ssh/config

Open the file in your preferred text editor:

 open -a TextEdit ~/.ssh/config

Then update the file with a base ssh config. The canonical place for fundraising ssh config files is the Fundraising ssh client config page. Here is an example config that could be used but it is best to reference that page for the latest updates.

Make sure you update "user_name" with the username on the remote fundraising servers (get the most updated server list from team)

IdentitiesOnly yes
AddressFamily inet

Host *
    UseRoaming no

## Fundraising

    User user_name
    HostKeyAlias frbast
    IdentityFile ~/.ssh/fr_id_ed25519

Host frdev*
    User user_name
    IdentityFile ~/.ssh/fr_id_ed25519
    ProxyCommand /usr/bin/ssh -q -W %h:%p

SSH Fingerprints

SSH fingerprints of host keys for WMF Fundraising Servers are below. These can be used to validate the authenticity of keys offered by hosts when attempting to connect for the first time or if the key has changed.
RSA     SHA256:ZocD0H0heNPFn/1HS1mh5KW6P2sNiUliFf7bxqBBkt8
DSA     SHA256:XCE7R8u8BqmBCDaZ9cxb1+EXKXydD5nrxfsyrgM6huE
ED25519 SHA256:+sEUb5c4ndyqMDDd2Prd4DDVbj/JIR6AxPH/gzfV5ZM

ECDSA   SHA256:52ZtCF87j+J9guzrVJemyhZ/2jTfPZgzQFc0F3Ov7WM
ED25519 SHA256:wm8Qz7xHCxKp+L4RLtu+GHD/XACtDx8Tpt5IjbFLS1k
RSA     SHA256://TTEhT1M4gcwYd9CrEKPhXzad3l+eYSKwSVVeFNI+c

RSA     SHA256:HQMIvf4lxL9YUBm80XeiP4V5VDccIxmT0R5T6AAG1KM
ECDSA   SHA256:1K3jEYCUAOmZb5t4jk03ogsvC9w8zu3ZHO1NdGgUcOY
ED25519 SHA256:+T7FgbWZ2tbSYTq83c8r3BY4AmXKMp+jKomwgS1JfXo

RSA     SHA256:/5JAZKa8n1RltOfA21lernQgqt/HQEwcsXaCqV/JyVI 
ECDSA   SHA256:b0YjQmzEcNJhqi6q1DRrVCGidEOVQb55pZQUsgUMcU0 
ED25519 SHA256:hs7WjyJBtMIEs4kWLvHtV2kMW6QYPmz7lvdP1pcBFhw 

RSA     SHA256:Cd8OLErPRTKPz6hhL+f6XOlojr9eSn2BYawlYLzKx64
ED25519 SHA256:L428bVjr7jpBHhZDIV/91XO/ZEpSKKZktrGl03lDU3o

RSA     SHA256:2R7T4WBdQgDAeojCtfXma90tSumwp4r8FRSBMolAId4
ECDSA   SHA256:cPewmUxvyqR7gbMya/lAN7O/59uCJHNgKSbjcR9G4gQ
ED25519 SHA256:mG0/FZ3xzVdrvk9LnV8LrmjFQyD4Du4WmFVz6fjAiMk