[Box-Admins] Access to the new server(s)

Wed Sep 28 23:53:28 UTC 2016

Thanks Tobias,

I am not able to connect with variant (1). Probably I am doing something wrong,
as I have little experience with ssh tunneling. This is what I see:

  lewis at lewis-Gazelle-Pro:~$ ssh -p1022 -lssh 104.130.6.82
  restrict shell, no commands # 
  restrict shell, no commands # ssh -AN -L22221:10.176.197.150:22 -p1022 -lssh 104.130.6.82
  restrict shell, no commands # ssh -ldavidlewis -p22221 localhost
  restrict shell, no commands # ls
  restrict shell, no commands #

Can you tell what I am doing wrong?

Thanks,
Dave

On Wed, Sep 28, 2016 at 11:31:36AM +0200, Tobias Pape wrote:
> Dear all
> 
> [ACTIONS AT END]
> 
> with retroactive blessing of Levente, I have now prepared eight VMs on Rackspace.
> Here's the overview:
> 
> =======================================================================================================================
> Name 	Name (ext)	intended use	Unix Users	Public Ports	Private Ports	Public IPv4	Private IPv4
> -----------------------------------------------------------------------------------------------------------------------
> ian	ssh.squeak.org	ssh-gateway	ssh     	1022    	22      	104.130.6.82	10.208.225.29
> alan	*.squeak.org	webserver	webteam  	80, 443  	22      	104.239.229.92	10.176.200.8
> adele	lists....	mailinglists	(tbd)   	25, 587, 465	22, 8080	162.242.237.43	10.208.160.56
> andreas	--------	source.squeak	chrismuller*	--------	22, 8080	irrelevant	10.208.161.222
> dan	--------	squeaksource	davidlewis*	--------	22, 8080	irrelevant	10.176.197.150
> ted	--------	squeak wiki+map	(tbd)   	--------	22, 8080, 8081	irrelevant	10.176.130.111
> david	--------	jenkins 	(tbd)   	--------	22, 8080	irrelevant	10.208.194.45
> scott	--------	misc    	(tbd)   	--------	22, 8080, 8081	irrelevant	10.176.199.169
> =======================================================================================================================
> 
> Currently, Levente and me have sudo on all these machines. Users with * also do.
> 
> Note that _no_ server exposes SSH on port 22 on a public IP. This is intentional to narrow attack vectors for script kiddies.
> How to login?
> 
> Ian is the ssh gateway so you have to connect to ian _first_ and use (1) local forwarding or (2) proxy jumping.
> I have installed the Public keys from most of you for the 'ssh' user on ian.
> 
> Please verify by
> 	ssh -p1022 -lssh 104.130.6.82
> you should see
> 	restrict shell, no commands #
> (you get out with crtl-d, ctrl-c, or killing ssh)
> 
> How to reach the other servers? Example for 'andreas'
> 
> variant (1):
> 	Do a local forward by
> 		ssh -AN -L22221:10.176.200.8:22 -p1022 -lssh 104.130.6.82
> 	and then
> 		ssh -lYOURNAME -p22221 localhost
> 	(-N maybe optional, but then you see 'restrict shell, no commands #')
> 
> 	Or in your .ssh/config you can put
> 
> 	Host ian.squeak.org
> 	  User ssh
> 	  Hostname 104.130.6.82
> 	  Port 1022
> 	  LocalForward 222221 10.176.200.8:22
> 
>         Host andreas.squeak.org
> 	  User YOURNAME
> 	  Hostname localhost
> 	  Port 222221
> 
> 	And then say 'ssh -AN ian.squeak.org' and then 'ssh andreas.squeak.org'
> 
> variant (2):
> 	(a) You have OpenSSH >= 7.3
> 	Do a Jump with
> 		ssh -J ssh at 104.130.6.82:1022 YOURNAME at 10.176.200.8
> 
> 	Or in your .ssh/config you can put
> 
> 	Host ian.squeak.org
> 	  User ssh
> 	  Hostname 104.130.6.82
> 	  Port 1022
> 
> 	Host andreas.squeak.org
> 	  User YOURNAME
> 	  Hostname 10.176.200.8
> 	  ProxyJump ian.squeak.org
> 
> 	And then say 'ssh andreas.squeak.org'
> 
> 	(b) You have OpenSSH >= 5.4
> 	Do a Jump via
> 		ssh -o ProxyCommand="ssh -lssh -p1022 -W %h:%p 104.130.6.82" YOURNAME at 10.176.200.8
> 
> 	Or in your .ssh/config you can put
> 
> 	Host ian.squeak.org
> 	  User ssh
> 	  Hostname 104.130.6.82
> 	  Port 1022
> 
> 	Host andreas.squeak.org
> 	  User YOURNAME
> 	  Hostname 10.176.200.8
> 	  ProxyCommand ssh -W %h:%p ian.squeak.org
> 
> 	And then say 'ssh andreas.squeak.org'
> 
> 	(c) You have OpenSSH < 5.4
> 	Use variant (1)
> 
> We will shortly start RSYNC-ing over data from box3 and box4 as well as replicatiing DNS entries before switching over.
> 
> [ACTION REQUIRED]
> 
> - Who needs access to which servers?
> - Do we need Jenkins anymore?
> 
> As always, questions appreciated.
> 
> Best regards
> 	-Tobias
> 
> 
> 
> 
> 