Shell Service

From Tardis
Revision as of 14:28, 20 October 2017 by Skull (talk | contribs)
Jump to: navigation, search

Usage Guide

Fez and Torchwood run the primary and secondary shell login service for Tardis, externally accessible via and In order to log in to the Tardis systems you will need to obtain an SSH client. For those with Linux/Unix systems, you should be able to run ssh from a command shell. For those in Windows, you are advised to have a look at PuTTY. Use this to connect to, giving the supplied username and password.

You can change the password on your new account using passwd from the command line, and you are advised to do so on your first log in. You can read your mail off the system using pine, or whatever your preferred mail client is.

For more help in actually getting started using a shell see Tardis Beginner Tutorials.

Shell Server

We run OpenSSH latest authenticated against LDAP. The primary shell login host is Fez which runs Debian Linux (OpenVZ). To log in ssh Please be aware that the new SSH server Fez is running a ban service to mitigate brute force attacks; 6 failed attempts at login will cause a ban; Bans will expire after around 20 minutes of inactivity.

Dumping Screen Sessions, Weechat, Irssi, etc.

While fez has a full featured install, Torchwood is intentionally nerfed to dissuade people from dumping sessions there.


Sometimes a reboot needs to happen, though most try to keep these as infrequent as possible.

Some reasons (not exhaustive) a reboot may need to occur on a shell server:

If you need to perform a reboot of a shell server, it's usually nice to let others know that you're going to do so.

There are a few ways people do this - some will just use the scheduled reboot functionality in the shutdown HH:MM command (remember, shutdown -r does a reboot) - see man shutdown for more info on how to do that.

Another strategy that some use is to edit /etc/motd to get users attention as they login, advertising a planned reboot.

Also useful here is the wall command, allowing you to send a message to all users currently logged in to the server. (You can see who is currently logged in by running w or who)

Ultimately, it is up to your own judgement on if you *should* reboot a shell server, and if you are going to, how much you let people know in advance.

Oh, one more thing... Remember if you're rebooting a machine from Proxmox over an SSH tunnel, and that tunnel lands on the machine you're rebooting, you will lose connection to proxmox. This is one of the reasons we have two shell servers.

Unattended Upgrades

It emails root@tardis daily, and will include [reboot required] in the subject line if it needs the system to be rebooted. It will look a bit like this:

Unattended upgrade returned: None

Warning: A reboot is required to complete this upgrade.

Packages that attempted to upgrade:

Packages with upgradable origin but kept back:

Unattended-upgrades log:
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['o=Debian,n=jessie', 'o=Debian,n=jessie-updates', 'o=Debian,n=jessie-proposed-updates', 'o=Debian,n=jessie,l=Debian-Security', 'origin=Debian,codename=jessie,label=Debian-Security']
Packages that will be upgraded:

It is up to your own judgement if the package mentioned really needs a reboot, or if it can wait until the next thing to come up that requires a reboot. This will likely be because of a Debian Security advisory, so go check their site.

SSH Key Fingerprints

Hash: SHA512 SSH host key fingerprints

+---[DSA 1024]----+
| . ++.+.Eo       |     MD5 = 09:77:cf:b2:f4:92:8f:3f:80:5d:4d:3f:5c:6c:c6:78
|  o o=..+        |
|   . oo. =       |    SHA1 = 5c:ea:9f:23:09:b6:41:c9:7a:27:25:c8:65:73:bb:03:29:31:09:9d
|   .. o.o +      |
|   .o+. SO       |  SHA256 = SsFBckLI7Ysn7kW8z6SWdCtSW1QTKO8fGVv+OQJZjBE
|  o.=o+.* .      |
| . =o=oo o . .   |   SSHFP = 2 1 5CEA9F2309B641C97A2725C86573BB032931099D
|  o.==. . . +    |
| ..o..o    . .   |   SSHFP = 2 2 4AC1417242C8ED8B27EE45BCCFA496742B525B541328EF1F195BFE39 02598C11

+---[ECDSA 256]---+
|   .o.o+.+ +o.   |     MD5 = 85:72:6c:c6:02:b5:97:29:ab:7d:50:a2:66:e2:19:83
|   . o..+ =  .   |
|  .   +.o.E . .  |    SHA1 = 76:1f:da:ac:57:22:4a:2d:4a:7c:85:a6:b4:2b:ce:52:a9:a1:af:4c
|   .  .B.. . o   |
|    + .oS . o    |  SHA256 = /FWqFhWByak+WqejSsbmU1EJ4ZUIpD/2R6vUtBB8Tl4
|   o o.=++.+     |
|    =.oo=++      |   SSHFP = 3 1 761FDAAC57224A2D4A7C85A6B42BCE52A9A1AF4C
|   =...oo.       |
|    ooo. .       |   SSHFP = 3 2 FC55AA161581C9A93E5AA7A34AC6E6535109E19508A43FF647ABD4B4 107C4E5E

+---[RSA 2048]----+
|             .o=.|     MD5 = 48:ca:45:2d:93:94:17:07:7c:88:e1:93:ad:ba:76:c1
|            . .o*|
|            .o.*=|    SHA1 = ef:da:27:86:04:63:13:1f:60:5f:17:bd:13:fe:26:f9:9d:e9:b2:7f
|             oO B|
|        S o.++.++|  SHA256 = z5zlP0paA3dwxfz1qFyNM1YDPkX7XtmKWOJO0msjJwc
|        E* Xoo o.|
|        ..X * . .|   SSHFP = 1 1 EFDA27860463131F605F17BD13FE26F99DE9B27F
|        o+== o.  |
|         *+..... |   SSHFP = 1 2 CF9CE53F4A5A037770C5FCF5A85C8D3356033E45FB5ED98A58E24ED2 6B232707

Version: GnuPG v2