[Box-Admins] Access to the new server(s)
David T. Lewis
lewis at mail.msen.com
Wed Sep 28 23:53:28 UTC 2016
Thanks Tobias,
I am not able to connect with variant (1). Probably I am doing something wrong,
as I have little experience with ssh tunneling. This is what I see:
lewis at lewis-Gazelle-Pro:~$ ssh -p1022 -lssh 104.130.6.82
restrict shell, no commands #
restrict shell, no commands # ssh -AN -L22221:10.176.197.150:22 -p1022 -lssh 104.130.6.82
restrict shell, no commands # ssh -ldavidlewis -p22221 localhost
restrict shell, no commands # ls
restrict shell, no commands #
Can you tell what I am doing wrong?
Thanks,
Dave
On Wed, Sep 28, 2016 at 11:31:36AM +0200, Tobias Pape wrote:
> Dear all
>
> [ACTIONS AT END]
>
> with retroactive blessing of Levente, I have now prepared eight VMs on Rackspace.
> Here's the overview:
>
> =======================================================================================================================
> Name Name (ext) intended use Unix Users Public Ports Private Ports Public IPv4 Private IPv4
> -----------------------------------------------------------------------------------------------------------------------
> ian ssh.squeak.org ssh-gateway ssh 1022 22 104.130.6.82 10.208.225.29
> alan *.squeak.org webserver webteam 80, 443 22 104.239.229.92 10.176.200.8
> adele lists.... mailinglists (tbd) 25, 587, 465 22, 8080 162.242.237.43 10.208.160.56
> andreas -------- source.squeak chrismuller* -------- 22, 8080 irrelevant 10.208.161.222
> dan -------- squeaksource davidlewis* -------- 22, 8080 irrelevant 10.176.197.150
> ted -------- squeak wiki+map (tbd) -------- 22, 8080, 8081 irrelevant 10.176.130.111
> david -------- jenkins (tbd) -------- 22, 8080 irrelevant 10.208.194.45
> scott -------- misc (tbd) -------- 22, 8080, 8081 irrelevant 10.176.199.169
> =======================================================================================================================
>
> Currently, Levente and me have sudo on all these machines. Users with * also do.
>
> Note that _no_ server exposes SSH on port 22 on a public IP. This is intentional to narrow attack vectors for script kiddies.
> How to login?
>
> Ian is the ssh gateway so you have to connect to ian _first_ and use (1) local forwarding or (2) proxy jumping.
> I have installed the Public keys from most of you for the 'ssh' user on ian.
>
> Please verify by
> ssh -p1022 -lssh 104.130.6.82
> you should see
> restrict shell, no commands #
> (you get out with crtl-d, ctrl-c, or killing ssh)
>
> How to reach the other servers? Example for 'andreas'
>
> variant (1):
> Do a local forward by
> ssh -AN -L22221:10.176.200.8:22 -p1022 -lssh 104.130.6.82
> and then
> ssh -lYOURNAME -p22221 localhost
> (-N maybe optional, but then you see 'restrict shell, no commands #')
>
> Or in your .ssh/config you can put
>
> Host ian.squeak.org
> User ssh
> Hostname 104.130.6.82
> Port 1022
> LocalForward 222221 10.176.200.8:22
>
> Host andreas.squeak.org
> User YOURNAME
> Hostname localhost
> Port 222221
>
> And then say 'ssh -AN ian.squeak.org' and then 'ssh andreas.squeak.org'
>
> variant (2):
> (a) You have OpenSSH >= 7.3
> Do a Jump with
> ssh -J ssh at 104.130.6.82:1022 YOURNAME at 10.176.200.8
>
> Or in your .ssh/config you can put
>
> Host ian.squeak.org
> User ssh
> Hostname 104.130.6.82
> Port 1022
>
> Host andreas.squeak.org
> User YOURNAME
> Hostname 10.176.200.8
> ProxyJump ian.squeak.org
>
> And then say 'ssh andreas.squeak.org'
>
> (b) You have OpenSSH >= 5.4
> Do a Jump via
> ssh -o ProxyCommand="ssh -lssh -p1022 -W %h:%p 104.130.6.82" YOURNAME at 10.176.200.8
>
> Or in your .ssh/config you can put
>
> Host ian.squeak.org
> User ssh
> Hostname 104.130.6.82
> Port 1022
>
> Host andreas.squeak.org
> User YOURNAME
> Hostname 10.176.200.8
> ProxyCommand ssh -W %h:%p ian.squeak.org
>
> And then say 'ssh andreas.squeak.org'
>
> (c) You have OpenSSH < 5.4
> Use variant (1)
>
> We will shortly start RSYNC-ing over data from box3 and box4 as well as replicatiing DNS entries before switching over.
>
> [ACTION REQUIRED]
>
> - Who needs access to which servers?
> - Do we need Jenkins anymore?
>
> As always, questions appreciated.
>
> Best regards
> -Tobias
>
>
>
>
>
More information about the Box-Admins
mailing list