Difference between revisions of "Shell Service"

From Tardis
Jump to: navigation, search
Line 12: Line 12:
 
== Dumping Screen Sessions, Weechat, Irssi, etc. ==
 
== Dumping Screen Sessions, Weechat, Irssi, etc. ==
 
While [[fez]] has a full featured install, [[Torchwood]] is intentionally nerfed to dissuade people from dumping sessions there.
 
While [[fez]] has a full featured install, [[Torchwood]] is intentionally nerfed to dissuade people from dumping sessions there.
 +
 +
== Reboots ==
 +
Sometimes a reboot needs to happen, though most try to keep these as infrequent as possible.
 +
 +
Some reasons (not exhaustive) a reboot may need to occur on a shell server:
 +
* Critical Security Patches
 +
* Kernel Updates
 +
* unattended-upgrades moaning about a reboot being required (this is somewhat frequent, use your own judgement if the shell server is directly affected by the
 +
* 'Hardware' changes (in the case of a VM)
 +
* Hardware changes (in the case of [[Torchwood]])
 +
 +
If you need to perform a reboot of a shell server, it's usually nice to let others know that you're going to do so.
 +
 +
There are a few ways people do this - some will just use the scheduled reboot functionality in the <code>shutdown</code> command - see <code>man shutdown</code> for more info on how to do that.
 +
 +
Another strategy that some use is to edit <code>/etc/motd</code> to get users attention as they login, advertising a planned reboot.
 +
 +
Also useful here is the <code>wall</code> command, allowing you to send a message to all users currently logged in to the server. (You can see who is currently logged in by running <code>w</code> or <code>who</code>)
 +
 +
Ultimately, it is up to your own judgement on if you *should* reboot a shell server, and if you are going to, how much you let people know in advance.
 +
 +
Oh, one more thing... Remember if you're rebooting a machine from Proxmox over an SSH tunnel, and that tunnel lands on the machine you're rebooting, you will lose connection to proxmox. This is one of the reasons we have two shell servers.
  
 
== SSH Key Fingerprints ==
 
== SSH Key Fingerprints ==

Revision as of 15:18, 20 October 2017

Usage Guide

Fez and Torchwood run the primary and secondary shell login service for Tardis, externally accessible via ssh.tardis.ed.ac.uk and ssh1.tardis.ed.ac.uk. In order to log in to the Tardis systems you will need to obtain an SSH client. For those with Linux/Unix systems, you should be able to run ssh username@ssh.tardis.ed.ac.uk from a command shell. For those in Windows, you are advised to have a look at PuTTY. Use this to connect to ssh.tardis.ed.ac.uk, giving the supplied username and password.

You can change the password on your new account using passwd from the command line, and you are advised to do so on your first log in. You can read your mail off the system using pine, or whatever your preferred mail client is.

For more help in actually getting started using a shell see Tardis Beginner Tutorials.

Shell Server

We run OpenSSH latest authenticated against LDAP. The primary shell login host is Fez which runs Debian Linux (OpenVZ). To log in ssh user@ssh.tardis.ed.ac.uk. Please be aware that the new SSH server Fez is running a ban service to mitigate brute force attacks; 6 failed attempts at login will cause a ban; Bans will expire after around 20 minutes of inactivity.

Dumping Screen Sessions, Weechat, Irssi, etc.

While fez has a full featured install, Torchwood is intentionally nerfed to dissuade people from dumping sessions there.

Reboots

Sometimes a reboot needs to happen, though most try to keep these as infrequent as possible.

Some reasons (not exhaustive) a reboot may need to occur on a shell server:

  • Critical Security Patches
  • Kernel Updates
  • unattended-upgrades moaning about a reboot being required (this is somewhat frequent, use your own judgement if the shell server is directly affected by the
  • 'Hardware' changes (in the case of a VM)
  • Hardware changes (in the case of Torchwood)

If you need to perform a reboot of a shell server, it's usually nice to let others know that you're going to do so.

There are a few ways people do this - some will just use the scheduled reboot functionality in the shutdown command - see man shutdown for more info on how to do that.

Another strategy that some use is to edit /etc/motd to get users attention as they login, advertising a planned reboot.

Also useful here is the wall command, allowing you to send a message to all users currently logged in to the server. (You can see who is currently logged in by running w or who)

Ultimately, it is up to your own judgement on if you *should* reboot a shell server, and if you are going to, how much you let people know in advance.

Oh, one more thing... Remember if you're rebooting a machine from Proxmox over an SSH tunnel, and that tunnel lands on the machine you're rebooting, you will lose connection to proxmox. This is one of the reasons we have two shell servers.

SSH Key Fingerprints

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

ssh.tardis.ed.ac.uk SSH host key fingerprints

+---[DSA 1024]----+
| . ++.+.Eo       |     MD5 = 09:77:cf:b2:f4:92:8f:3f:80:5d:4d:3f:5c:6c:c6:78
|  o o=..+        |
|   . oo. =       |    SHA1 = 5c:ea:9f:23:09:b6:41:c9:7a:27:25:c8:65:73:bb:03:29:31:09:9d
|   .. o.o +      |
|   .o+. SO       |  SHA256 = SsFBckLI7Ysn7kW8z6SWdCtSW1QTKO8fGVv+OQJZjBE
|  o.=o+.* .      |
| . =o=oo o . .   |   SSHFP = 2 1 5CEA9F2309B641C97A2725C86573BB032931099D
|  o.==. . . +    |
| ..o..o    . .   |   SSHFP = 2 2 4AC1417242C8ED8B27EE45BCCFA496742B525B541328EF1F195BFE39 02598C11
+----[SHA256]-----+

+---[ECDSA 256]---+
|   .o.o+.+ +o.   |     MD5 = 85:72:6c:c6:02:b5:97:29:ab:7d:50:a2:66:e2:19:83
|   . o..+ =  .   |
|  .   +.o.E . .  |    SHA1 = 76:1f:da:ac:57:22:4a:2d:4a:7c:85:a6:b4:2b:ce:52:a9:a1:af:4c
|   .  .B.. . o   |
|    + .oS . o    |  SHA256 = /FWqFhWByak+WqejSsbmU1EJ4ZUIpD/2R6vUtBB8Tl4
|   o o.=++.+     |
|    =.oo=++      |   SSHFP = 3 1 761FDAAC57224A2D4A7C85A6B42BCE52A9A1AF4C
|   =...oo.       |
|    ooo. .       |   SSHFP = 3 2 FC55AA161581C9A93E5AA7A34AC6E6535109E19508A43FF647ABD4B4 107C4E5E
+----[SHA256]-----+

+---[RSA 2048]----+
|             .o=.|     MD5 = 48:ca:45:2d:93:94:17:07:7c:88:e1:93:ad:ba:76:c1
|            . .o*|
|            .o.*=|    SHA1 = ef:da:27:86:04:63:13:1f:60:5f:17:bd:13:fe:26:f9:9d:e9:b2:7f
|             oO B|
|        S o.++.++|  SHA256 = z5zlP0paA3dwxfz1qFyNM1YDPkX7XtmKWOJO0msjJwc
|        E* Xoo o.|
|        ..X * . .|   SSHFP = 1 1 EFDA27860463131F605F17BD13FE26F99DE9B27F
|        o+== o.  |
|         *+..... |   SSHFP = 1 2 CF9CE53F4A5A037770C5FCF5A85C8D3356033E45FB5ED98A58E24ED2 6B232707
+----[SHA256]-----+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXetRCAAoJEMiXXyBDyl0kRVwP/3PVngfaczKO8tEHc6RrcFF0
lpHSuQYHGZAaTPxBvOyWW0F/bke8Hrhe/wKW8ru0f20gyLH4Yf3b7pIqAkBkUK/o
373XvGln1gIAxsbTDnYrPObmN79uGQsbIL3oxi41eW3EexoCuf90wm+W/4VUoYGN
aY9pVFe8GKo4xaK0hO22ej6rsQE2OXGmun7cHF2A3WqfF8IG8xxDy3Y1akZU1RWc
ZxzBTqQ2S9z8koEREpwgnZK+0GXtjmEUB2pPpcE2FKO5LbHzuedd+/ekvQcVvxEl
2NipTyDmz+p95HmAag1CqZ3iIzlUHcUgkxtLPaud5AyofDQxq+NSyfllYIFnPxfg
pgIQ1i3vk+hfaaw0u1cr/x4iAygWS3UyvcloKXdFc23FnUoNHEIPc8L4Nco0UgTa
GEMFmXO223HdsuW0FpNKqYzhOAXg3P9VAR1VXJQTx0pueZc3vbY4T6GTVgxOomeZ
cvTjD6+faOL9CJBLf5rRstnveqLjivfOQEVgnFO9G+yBmGR72LR1yINd2eDTvX8t
d9qhwgADarJWe731vHrJdccK3mSlwSaUI95lDw33/DmrihD06Vt1e9tQfw5X/BNd
cWNQX3cv9VLv/lwXrgcPTBcoJVPI7vUZxF7d0jYxKenoPdZlQe+0ghfb0rFv3CjN
9+sp/tcjWH70YVZAfyOe
=W/Gh
-----END PGP SIGNATURE-----