[Box-Admins] Access to the new server(s)

Tobias Pape Das.Linux at gmx.de
Thu Sep 29 06:27:53 UTC 2016 

Hey Chris,

On 29.09.2016, at 05:10, Chris Muller <asqueaker at gmail.com> wrote:

> Hey Tobias,
> 
> =======================================================================================================================
>> Name    Name (ext)      intended use    Unix Users      Public Ports    Private Ports   Public IPv4     Private IPv4
>> -----------------------------------------------------------------------------------------------------------------------
>> ian     ssh.squeak.org  ssh-gateway     ssh             1022            22              104.130.6.82    10.208.225.29
>> alan    *.squeak.org    webserver       webteam         80, 443         22              104.239.229.92  10.176.200.8
>> adele   lists....       mailinglists    (tbd)           25, 587, 465    22, 8080        162.242.237.43  10.208.160.56
>> andreas --------        source.squeak   chrismuller*    --------        22, 8080        irrelevant      10.208.161.222
>> dan     --------        squeaksource    davidlewis*     --------        22, 8080        irrelevant      10.176.197.150
>> ted     --------        squeak wiki+map (tbd)           --------        22, 8080, 8081  irrelevant      10.176.130.111
>> david   --------        jenkins         (tbd)           --------        22, 8080        irrelevant      10.208.194.45
>> scott   --------        misc            (tbd)           --------        22, 8080, 8081  irrelevant      10.176.199.169
>> =======================================================================================================================
> 
>> ...
> 
>> Ian is the ssh gateway so you have to connect to ian _first_ and use (1) local forwarding or (2) proxy jumping.
>> I have installed the Public keys from most of you for the 'ssh' user on ian.
>> 
>> Please verify by
>>        ssh -p1022 -lssh 104.130.6.82
>> you should see
>>        restrict shell, no commands #
>> (you get out with crtl-d, ctrl-c, or killing ssh)
>> 
>> How to reach the other servers? Example for 'andreas'
>> 
>> variant (1):
>>        Do a local forward by
>>                ssh -AN -L22221:10.176.200.8:22 -p1022 -lssh 104.130.6.82
>>        and then
>>                ssh -lYOURNAME -p22221 localhost
>>        (-N maybe optional, but then you see 'restrict shell, no commands #')
>> 
>>        Or in your .ssh/config you can put
>> 
>>        Host ian.squeak.org
>>          User ssh
>>          Hostname 104.130.6.82
>>          Port 1022
>>          LocalForward 222221 10.176.200.8:22
> 
> (10.176.200.8 is alan, not andreas and 222221 is not a valid port
> number, but I got your point).

Yes, sorry, you're right in both instance. I noticed too late.

> 
>>        Host andreas.squeak.org
>>          User YOURNAME
>>          Hostname localhost
>>          Port 222221
>> 
>> 
>>        And then say 'ssh -AN ian.squeak.org' and then 'ssh andreas.squeak.org'
> 
> However, my access failed:
> 
> =======================
> ssh andreas.squeak.org
> The authenticity of host '[localhost]:22221 ([127.0.0.1]:22221)' can't
> be established.
> ECDSA key fingerprint is a3:05:db:9d:51:b0:53:a9:4e:98:94:df:ff:34:09:2a.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added '[localhost]:22221' (ECDSA) to the list of
> known hosts.
> Permission denied (publickey).
> ========================
> 
> Could you double check my ssh key?

My bad. I had actually forgotten to create that account. I created it now, please re-check.

> 
>> ...
>> We will shortly start RSYNC-ing over data from box3 and box4 as well as replicatiing DNS entries before switching over.
> 
> I assume you will not carry forward the chroot directory structure
> from "box3". 

I would rather be in favour to pour down a full bottle of Lagavulin down the drain than trying to piggyback boxes again without need :D

> Are you planning to collaborate with the volunteers or
> do some kind of hand-off after the rsync or take everything completely
> across the finish-line?

I (or we?) will surely help where possible.

> 
>> [ACTION REQUIRED]
>> 
>> - Who needs access to which servers?
> 
> I would like access, including sudo, to dan and ted, please.

Ted because of map and wiki, right?
Can you please explain why dan?
Is the sudo necessary for anything else than installing packages?
(Sorry for asking, but I'd like to have not too many sudoers on the machines during the moves. Not because of distrust but because of losing track).

Anyway, thanks for stepping forward and helping. :)

Best regards
	-Tobias
> 
> - Chris

More information about the Box-Admins mailing list