Table of Contents
7. SSH Proxying
The only VM we directly expose SSH access to is sandbox. If you want to access our other machines through that, you have two options:
- SSH in, then type in
ssh …
yourself - Get SSH to do it for you
The latter works similarly - we are still routing everything through sandbox - we just don't need to type the command ourselves.
On your local machine, find your home directory (/home/<username>
or ~
on Linux, C:\Users\<Username>\
on Windows). Create a folder named .ssh
inside it, and a file named config
(with no extension) inside that.
Start off by setting the user to use for tardis:
Host tardisproject.uk User <TARDIS USERNAME>
Then, we can start adding new hosts. For instance:
Host office.tardisproject.uk User <TARDIS USERNAME> HostName office.internal.tardisproject.uk ProxyJump tardis
Now, instead of typing:
$ ssh username@tardisproject.uk <password> username@sandbox:~$ ssh office.internal.tardisproject.uk ...
You just need to type ssh office.tardisproject.uk
.
Passwordless SSH
If you get tired of entering your password so many times, you can create an SSH key and authenticate yourself with that.
If you don't think you have one (you might do if you use gitlab/github), type ssh-keygen
and follow the instructions. Please set a passphrase for it - this will only get asked once every session so you'll be entering it a lot less, and it improves security greatly.
You can now copy it up with ssh-copy-id tardisproject.uk
. You'll need to enter your password one last time, and from then on your ssh key will be used to authenticate you instead.
This does have a drawback - When you login with your password, a system called Kerberos securely tells other hosts that it's already checked your password, so if you're not using SSH tunnelling you only have to enter it once per session.
SSH keys aren't currently synced between all of our hosts, which means you'll have to use ssh-copy-id <hostname>
for wherever it is you're proxying to.
Admin Stuff
Our core service VMs (the ones running Nix) all have one admin SSH key which you can log in with root using - it's stored in Bitwarden. Please avoid adding any other keys.
Assuming you have this key at ~/.ssh/tardis_rsa
, the following section will let you ssh into any of the nix hosts, with their FQDNs.
Host tardis User USERNAME HostName tardisproject.uk Host enclave.tardisproject.uk User root HostName enclave.internal.tardisproject.uk ProxyJump tardis IdentityFile ~/.ssh/tardis_rsa Host web.tardisproject.uk User root HostName web.internal.tardisproject.uk ProxyJump tardis IdentityFile ~/.ssh/tardis_rsa Host monitoring.tardisproject.uk User root HostName monitoring.internal.tardisproject.uk ProxyJump tardis IdentityFile ~/.ssh/tardis_rsa Host nixbuild.tardisproject.uk User root HostName nixbuild.internal.tardisproject.uk ProxyJump tardis IdentityFile ~/.ssh/tardis_rsa