Accessing Autobuilders: Difference between revisions

From Yocto Project
Jump to navigationJump to search
m (Bill Randle moved page AccessingAutobuilders to Accessing Autobuilders: add a space in the title)
No edit summary
Line 12: Line 12:
Edit ~/.ssh/config and add:
Edit ~/.ssh/config and add:


  Host access.yoctoproject.org
  Host access.yocto.io
     # Make sure your username matches your account on the autobuilder
     # Make sure your username matches your account on the autobuilder
     User [username]
     #User [username]
     # Give the full path to the proper public key
     # Give the full path to the proper public key
     IdentityFile /home/[username]/.ssh/id_rsa
     #IdentityFile /home/[username]/.ssh/id_rsa
     # If your network requires you to use a SOCKS proxy enable it here
     # If your network requires you to use a SOCKS proxy enable it here
     # ProxyCommand nc -X5 -x [proxyserver.address.company.com:1080] %h %p
     # ProxyCommand nc -X5 -x [proxyserver.address.company.com:1080] %h %p
Line 22: Line 22:
     # ProxyCommand nc --proxy-type socks5 --proxy [proxyserver.address.company.com:1080] %h %p
     # ProxyCommand nc --proxy-type socks5 --proxy [proxyserver.address.company.com:1080] %h %p
      
      
  # We use an internal DNS server with the fake TLD .yp for ease of use
  # *.yocto.io except for access is internal. Proxy through the bastion.  
  Host *.yp *.osl.yoctoproject.org
  Host !access.yocto.io *.yocto.io
    # This proxy command actually does the of running ssh through ssh
     ProxyJump access.yocto.io
     ProxyCommand ssh access.yoctoproject.org exec nc %h %p 2> /dev/null
     # Correct username and key repeated from above.
     # Correct username and key repeated from above.
     User [username]
     #User [username]
     IdentityFile /home/username/.ssh/id_rsa
     #IdentityFile /home/[username]/.ssh/id_rsa
     # We don't need strict checking on the private network.
     # We don't need strict checking on the private network.
     StrictHostKeyChecking no
     StrictHostKeyChecking no
    VisualHostKey no
     # Don't bother saving hostkeys we don't check
     # Don't bother saving hostkeys we don't check
     UserKnownHostsFile /dev/null
     UserKnownHostsFile /dev/null
    VisualHostKey no
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null


===Verify Fingerprints===
===Verify Fingerprints===

Revision as of 20:42, 25 March 2021

Connecting to Autobuilders

We use an ssh jumphost called access.yoctoproject.org to connect to the autobuilders. Jumphosts enhance security by removing the threat of hijacked ssh-agents and limiting the services running on Internet exposed hosts.

Generate keys

In order to access any of the autobuilders your ssh public keys must first be installed. The preferred way to generate a key is type RSA with 2048 bits or greater. Please put your e-mail, the date of generation, and the host the key lives on in the comment. Please set a passphrase even if it's a simple one! Ideally your private key will never leave the host it is generated on - so if you have multiple machines please generate multiple keys. E-mail your public key named id_rsa.pub to hostmaster@yoctoproject.org. Keep id_rsa(the private key) super safe. Please never share it with anyone or copy it onto the Internet. Don't e-mail it to yourself either.

 ssh-keygen -b 4096 -t rsa -C "your.email@company.com_2012-05-30_localhostname"

Substitute your own e-mail and your computer's hostname in the command above. Setting these helps with troubleshooting in the future.

Configure ssh

Edit ~/.ssh/config and add:

Host access.yocto.io
   # Make sure your username matches your account on the autobuilder
   #User [username]
   # Give the full path to the proper public key
   #IdentityFile /home/[username]/.ssh/id_rsa
   # If your network requires you to use a SOCKS proxy enable it here
   # ProxyCommand nc -X5 -x [proxyserver.address.company.com:1080] %h %p
   # If your system uses 'ncat', rather than 'netcat', use these options to enable a SOCKS proxy
   # ProxyCommand nc --proxy-type socks5 --proxy [proxyserver.address.company.com:1080] %h %p
   
# *.yocto.io except for access is internal. Proxy through the bastion. 
Host !access.yocto.io *.yocto.io
   ProxyJump access.yocto.io
   # Correct username and key repeated from above.
   #User [username]
   #IdentityFile /home/[username]/.ssh/id_rsa
   # We don't need strict checking on the private network.
   StrictHostKeyChecking no
   VisualHostKey no
   # Don't bother saving hostkeys we don't check
   UserKnownHostsFile /dev/null


   VisualHostKey no
   StrictHostKeyChecking no
   UserKnownHostsFile /dev/null


Verify Fingerprints

Now actually ssh to access.yoctoproject.org and verify that the fingerprint you receive matches a fingerprint below.

access.yoctoproject.org ECDSA 45:57:d2:e5:c9:93:40:a3:32:f4:a3:29:0b:1e:99:57
or                       RSA  15:90:e2:85:98:db:f6:75:55:3d:fb:fa:22:a7:06:44
or                ECDSA SHA256:xVq5zKfo7s2HCZmZOj/r39A8dRenI+YEfIBIv53LSTs

Connect!

Now that you've added access.yoctoproject.org to your known hosts you don't need to worry about fingerprints anymore. Time to connect to a builder. Run:

 ssh ab01.yp

If all worked correctly you are now logged into autobuilder01.

Need to work on the build scripts?

If you are on the SWAT team you can access pokybuild using this sudo command:

 sudo -iu pokybuild


keywords: ssh access auto builder accessing autobuilders