TARDIS Project

User Tools

Site Tools

Trace: 7. SSH Proxying
howto:ssh_proxy

Table of Contents

7. SSH Proxying

The only VM we directly expose SSH access to is sandbox. If you want to access our other machines through that, you have two options:

  1. SSH in, then type in ssh … yourself
  2. Get SSH to do it for you

The latter works similarly - we are still routing everything through sandbox - we just don't need to type the command ourselves.

On your local machine, find your home directory (/home/<username> or ~ on Linux, C:\Users\<Username>\ on Windows). Create a folder named .ssh inside it, and a file named config (with no extension) inside that.

Start off by setting the user to use for tardis: 

Host tardisproject.uk
    User <TARDIS USERNAME>

Then, we can start adding new hosts. For instance: 

Host office.tardisproject.uk
    User <TARDIS USERNAME>
    HostName office.internal.tardisproject.uk
    ProxyJump tardis

Now, instead of typing: 

$ ssh username@tardisproject.uk
<password>
username@sandbox:~$ ssh office.internal.tardisproject.uk
...

You just need to type ssh office.tardisproject.uk.

Passwordless SSH

If you get tired of entering your password so many times, you can create an SSH key and authenticate yourself with that.

If you don't think you have one (you might do if you use gitlab/github), type ssh-keygen and follow the instructions. Please set a passphrase for it - this will only get asked once every session so you'll be entering it a lot less, and it improves security greatly.

You can now copy it up with ssh-copy-id tardisproject.uk. You'll need to enter your password one last time, and from then on your ssh key will be used to authenticate you instead.

This does have a drawback - When you login with your password, a system called Kerberos securely tells other hosts that it's already checked your password, so if you're not using SSH tunnelling you only have to enter it once per session. SSH keys aren't currently synced between all of our hosts, which means you'll have to use ssh-copy-id <hostname> for wherever it is you're proxying to.

Admin Stuff

Our core service VMs (the ones running Nix) all have one admin SSH key which you can log in with root using - it's stored in Bitwarden. Please avoid adding any other keys.

Assuming you have this key at ~/.ssh/tardis_rsa, the following section will let you ssh into any of the nix hosts, with their FQDNs. 

Host tardis
    User USERNAME
    HostName tardisproject.uk

Host enclave.tardisproject.uk
    User root
    HostName enclave.internal.tardisproject.uk
    ProxyJump tardis
    IdentityFile ~/.ssh/tardis_rsa

Host web.tardisproject.uk
    User root
    HostName web.internal.tardisproject.uk
    ProxyJump tardis
    IdentityFile ~/.ssh/tardis_rsa

Host monitoring.tardisproject.uk
    User root
    HostName monitoring.internal.tardisproject.uk
    ProxyJump tardis
    IdentityFile ~/.ssh/tardis_rsa

Host nixbuild.tardisproject.uk
    User root
    HostName nixbuild.internal.tardisproject.uk
    ProxyJump tardis
    IdentityFile ~/.ssh/tardis_rsa
howto/ssh_proxy.txt · Last modified: 2023/07/29 11:13 by tcmal