[Box-Admins] Access to the new server(s)

Tobias Pape Das.Linux at gmx.de
Wed Sep 28 09:31:36 UTC 2016 

Dear all

[ACTIONS AT END]

with retroactive blessing of Levente, I have now prepared eight VMs on Rackspace.
Here's the overview:

=======================================================================================================================
Name 	Name (ext)	intended use	Unix Users	Public Ports	Private Ports	Public IPv4	Private IPv4
-----------------------------------------------------------------------------------------------------------------------
ian	ssh.squeak.org	ssh-gateway	ssh     	1022    	22      	104.130.6.82	10.208.225.29
alan	*.squeak.org	webserver	webteam  	80, 443  	22      	104.239.229.92	10.176.200.8
adele	lists....	mailinglists	(tbd)   	25, 587, 465	22, 8080	162.242.237.43	10.208.160.56
andreas	--------	source.squeak	chrismuller*	--------	22, 8080	irrelevant	10.208.161.222
dan	--------	squeaksource	davidlewis*	--------	22, 8080	irrelevant	10.176.197.150
ted	--------	squeak wiki+map	(tbd)   	--------	22, 8080, 8081	irrelevant	10.176.130.111
david	--------	jenkins 	(tbd)   	--------	22, 8080	irrelevant	10.208.194.45
scott	--------	misc    	(tbd)   	--------	22, 8080, 8081	irrelevant	10.176.199.169
=======================================================================================================================

Currently, Levente and me have sudo on all these machines. Users with * also do.

Note that _no_ server exposes SSH on port 22 on a public IP. This is intentional to narrow attack vectors for script kiddies.
How to login?

Ian is the ssh gateway so you have to connect to ian _first_ and use (1) local forwarding or (2) proxy jumping.
I have installed the Public keys from most of you for the 'ssh' user on ian.

Please verify by
	ssh -p1022 -lssh 104.130.6.82
you should see
	restrict shell, no commands #
(you get out with crtl-d, ctrl-c, or killing ssh)

How to reach the other servers? Example for 'andreas'

variant (1):
	Do a local forward by
		ssh -AN -L22221:10.176.200.8:22 -p1022 -lssh 104.130.6.82
	and then
		ssh -lYOURNAME -p22221 localhost
	(-N maybe optional, but then you see 'restrict shell, no commands #')

	Or in your .ssh/config you can put

	Host ian.squeak.org
	  User ssh
	  Hostname 104.130.6.82
	  Port 1022
	  LocalForward 222221 10.176.200.8:22

        Host andreas.squeak.org
	  User YOURNAME
	  Hostname localhost
	  Port 222221

	And then say 'ssh -AN ian.squeak.org' and then 'ssh andreas.squeak.org'

variant (2):
	(a) You have OpenSSH >= 7.3
	Do a Jump with
		ssh -J ssh at 104.130.6.82:1022 YOURNAME at 10.176.200.8

	Or in your .ssh/config you can put

	Host ian.squeak.org
	  User ssh
	  Hostname 104.130.6.82
	  Port 1022

	Host andreas.squeak.org
	  User YOURNAME
	  Hostname 10.176.200.8
	  ProxyJump ian.squeak.org

	And then say 'ssh andreas.squeak.org'

	(b) You have OpenSSH >= 5.4
	Do a Jump via
		ssh -o ProxyCommand="ssh -lssh -p1022 -W %h:%p 104.130.6.82" YOURNAME at 10.176.200.8

	Or in your .ssh/config you can put

	Host ian.squeak.org
	  User ssh
	  Hostname 104.130.6.82
	  Port 1022

	Host andreas.squeak.org
	  User YOURNAME
	  Hostname 10.176.200.8
	  ProxyCommand ssh -W %h:%p ian.squeak.org

	And then say 'ssh andreas.squeak.org'

	(c) You have OpenSSH < 5.4
	Use variant (1)

We will shortly start RSYNC-ing over data from box3 and box4 as well as replicatiing DNS entries before switching over.

[ACTION REQUIRED]

- Who needs access to which servers?
- Do we need Jenkins anymore?

As always, questions appreciated.

Best regards
	-Tobias





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1656 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.squeakfoundation.org/pipermail/box-admins/attachments/20160928/8b9c1dde/signature.pgp

More information about the Box-Admins mailing list