Updated SSH Documentation

Owned by John Simmons (Deactivated)
Last updated: 10 Dec 2020
  1. Add your public key to $TIS-DEVOPS/ansible/roles/ssh/files/public_keys/:email. , keys should be in OpenSSH format.
  2. The following command needs to run to give access to the build server
$ ansible-playbook -i inventory/build tasks/ssh.yml

3. It may be useful to add the following to your ~/.ssh/config file (you can create a new text file in that location if you don't already have one). 

Host hee-build-aws
    Hostname aws.jump.tis.nhs.uk
    port 22
    User bastion
    #RabbitMQ STAGE
    LocalForward 25672 10.160.0.147:15672
    #Neo4J HTTP, then BOLT
    LocalForward 27687 10.160.0.150:7687
    LocalForward 27474 10.160.0.150:7474
    ForwardAgent yes
    PubKeyAuthentication yes
    IdentityFile ~/.ssh/id_rsa

#Build Env

Host 10.140.0.*
    User heetis
    ProxyCommand ssh hee-build-aws nc %h %p
    ForwardAgent yes
    StrictHostKeyChecking no

#Stage Env
Host 10.160.0.*
    User heetis
    ProxyCommand ssh hee-build-aws nc %h %p
    ForwardAgent yes
    StrictHostKeyChecking no

#Prod Env
Host 10.170.0.*
    User heetis
    ProxyCommand ssh hee-build-aws nc %h %p
    ForwardAgent yes
    StrictHostKeyChecking no

#NIMDTA Env

Host 10.254.*.*
    User heetis
    ProxyCommand ssh hee-build-aws nc %h %p
    ForwardAgent yes
    StrictHostKeyChecking no

#Bastion Env

Host 10.99.0.*
    User bastion
    ProxyCommand ssh hee-build-aws nc %h %p
    ForwardAgent yes
    StrictHostKeyChecking no

Host github.com
    Hostname ssh.github.com
    Port 443



We swapped platforms recently so some of the keys for the servers no longer match the original values. If you see a message similar to this when you try and connect then you will need to remove entries from your known hosts;

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:O6QtBrIMNz0c/OKPGmRLhEsQwOm4eeFgcPkd/yClwcs.
Please contact your system administrator.
Add correct host key in ~/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in ~/.ssh/known_hosts:1061

You have two options;

  • Delete your ~/.ssh/known_hosts file to remove all stored public keys.
  • Find the entries in ~/.ssh/known_hosts that are conflicting. In the case of the example above, the key on line 1061 was causing the problme so removing that line fixed the issue.


Graphical Overview (basic)

Slack: https://hee-nhs-tis.slack.com/
Jira issues: https://hee-tis.atlassian.net/issues/?filter=14213