You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Portal:Cloud VPS/Admin/Sshd

From Wikitech-static
Jump to navigation Jump to search

Cloud VPS instances do some interesting things with sshd config. This page will try to explain what we do, why we do it, and offer some troubleshooting tips for when things go wrong.

Config

ssh-key-ldap-lookup

The ::ldap::client::utils Puppet class provisions our custom /usr/sbin/ssh-key-ldap-lookup script. This script is used by sshd to fetch a list of authorized keys for a given user from the LDAP directory.

PAM

  • /etc/pam.d/common-session - we configure pam_mkhomedir.so to create missing $HOME directories
  • /etc/security/access.conf - we add config to restrict authn to a particular group ($::projectgroup)

Troubleshooting

Check the ssh keys

Compare auth.log records to /usr/sbin/ssh-key-ldap-lookup <user> output to validate the key being presented. Be warned that ed25519 keys may not look the same in both outputs even when they are due to differences in the hash logging.

Check for project membership

If the auth.log output has something like "Fatal: Access denied for user $USER by PAM account configuration [preauth]", chances are pretty good that the user exists in LDAP but is not a member of the project.