Difference between revisions of "Shell Service"

From Tardis
Jump to: navigation, search
Line 19: Line 19:
 
* Critical Security Patches
 
* Critical Security Patches
 
* Kernel Updates
 
* Kernel Updates
* unattended-upgrades moaning about a reboot being required (this is somewhat frequent, use your own judgement if the shell server is directly affected by the
+
* [[#Unattended Upgrades|unattended-upgrades moaning about a reboot being required]]
 
* 'Hardware' changes (in the case of a VM)
 
* 'Hardware' changes (in the case of a VM)
 
* Hardware changes (in the case of [[Torchwood]])
 
* Hardware changes (in the case of [[Torchwood]])
Line 25: Line 25:
 
If you need to perform a reboot of a shell server, it's usually nice to let others know that you're going to do so.
 
If you need to perform a reboot of a shell server, it's usually nice to let others know that you're going to do so.
  
There are a few ways people do this - some will just use the scheduled reboot functionality in the <code>shutdown</code> command - see <code>man shutdown</code> for more info on how to do that.
+
There are a few ways people do this - some will just use the scheduled reboot functionality in the <code>shutdown HH:MM</code> command (remember, <code>shutdown -r</code> does a reboot) - see <code>man shutdown</code> for more info on how to do that.
  
 
Another strategy that some use is to edit <code>/etc/motd</code> to get users attention as they login, advertising a planned reboot.
 
Another strategy that some use is to edit <code>/etc/motd</code> to get users attention as they login, advertising a planned reboot.
Line 34: Line 34:
  
 
Oh, one more thing... Remember if you're rebooting a machine from Proxmox over an SSH tunnel, and that tunnel lands on the machine you're rebooting, you will lose connection to proxmox. This is one of the reasons we have two shell servers.
 
Oh, one more thing... Remember if you're rebooting a machine from Proxmox over an SSH tunnel, and that tunnel lands on the machine you're rebooting, you will lose connection to proxmox. This is one of the reasons we have two shell servers.
 +
 +
=== Unattended Upgrades ===
 +
It emails <code>root@tardis</code> daily, and will include <code>[reboot required]</code> in the subject line if it needs the system to be rebooted. It will look a bit like this:
 +
<pre>
 +
Unattended upgrade returned: None
 +
 +
Warning: A reboot is required to complete this upgrade.
 +
 +
Packages that attempted to upgrade:
 +
 +
Packages with upgradable origin but kept back:
 +
db5.1-util
 +
 +
Unattended-upgrades log:
 +
Initial blacklisted packages:
 +
Initial whitelisted packages:
 +
Starting unattended upgrades script
 +
Allowed origins are: ['o=Debian,n=jessie', 'o=Debian,n=jessie-updates', 'o=Debian,n=jessie-proposed-updates', 'o=Debian,n=jessie,l=Debian-Security', 'origin=Debian,codename=jessie,label=Debian-Security']
 +
Packages that will be upgraded:
 +
</pre>
 +
 +
It is up to your own judgement if the package mentioned really needs a reboot, or if it can wait until the next thing to come up that requires a reboot. This will likely be because of a Debian Security advisory, so go check [https://www.debian.org/security/ their site].
  
 
== SSH Key Fingerprints ==
 
== SSH Key Fingerprints ==

Revision as of 15:28, 20 October 2017

Usage Guide

Fez and Torchwood run the primary and secondary shell login service for Tardis, externally accessible via ssh.tardis.ed.ac.uk and ssh1.tardis.ed.ac.uk. In order to log in to the Tardis systems you will need to obtain an SSH client. For those with Linux/Unix systems, you should be able to run ssh username@ssh.tardis.ed.ac.uk from a command shell. For those in Windows, you are advised to have a look at PuTTY. Use this to connect to ssh.tardis.ed.ac.uk, giving the supplied username and password.

You can change the password on your new account using passwd from the command line, and you are advised to do so on your first log in. You can read your mail off the system using pine, or whatever your preferred mail client is.

For more help in actually getting started using a shell see Tardis Beginner Tutorials.

Shell Server

We run OpenSSH latest authenticated against LDAP. The primary shell login host is Fez which runs Debian Linux (OpenVZ). To log in ssh user@ssh.tardis.ed.ac.uk. Please be aware that the new SSH server Fez is running a ban service to mitigate brute force attacks; 6 failed attempts at login will cause a ban; Bans will expire after around 20 minutes of inactivity.

Dumping Screen Sessions, Weechat, Irssi, etc.

While fez has a full featured install, Torchwood is intentionally nerfed to dissuade people from dumping sessions there.

Reboots

Sometimes a reboot needs to happen, though most try to keep these as infrequent as possible.

Some reasons (not exhaustive) a reboot may need to occur on a shell server:

If you need to perform a reboot of a shell server, it's usually nice to let others know that you're going to do so.

There are a few ways people do this - some will just use the scheduled reboot functionality in the shutdown HH:MM command (remember, shutdown -r does a reboot) - see man shutdown for more info on how to do that.

Another strategy that some use is to edit /etc/motd to get users attention as they login, advertising a planned reboot.

Also useful here is the wall command, allowing you to send a message to all users currently logged in to the server. (You can see who is currently logged in by running w or who)

Ultimately, it is up to your own judgement on if you *should* reboot a shell server, and if you are going to, how much you let people know in advance.

Oh, one more thing... Remember if you're rebooting a machine from Proxmox over an SSH tunnel, and that tunnel lands on the machine you're rebooting, you will lose connection to proxmox. This is one of the reasons we have two shell servers.

Unattended Upgrades

It emails root@tardis daily, and will include [reboot required] in the subject line if it needs the system to be rebooted. It will look a bit like this:

Unattended upgrade returned: None

Warning: A reboot is required to complete this upgrade.

Packages that attempted to upgrade:

Packages with upgradable origin but kept back:
 db5.1-util

Unattended-upgrades log:
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['o=Debian,n=jessie', 'o=Debian,n=jessie-updates', 'o=Debian,n=jessie-proposed-updates', 'o=Debian,n=jessie,l=Debian-Security', 'origin=Debian,codename=jessie,label=Debian-Security']
Packages that will be upgraded:

It is up to your own judgement if the package mentioned really needs a reboot, or if it can wait until the next thing to come up that requires a reboot. This will likely be because of a Debian Security advisory, so go check their site.

SSH Key Fingerprints

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

ssh.tardis.ed.ac.uk SSH host key fingerprints

+---[DSA 1024]----+
| . ++.+.Eo       |     MD5 = 09:77:cf:b2:f4:92:8f:3f:80:5d:4d:3f:5c:6c:c6:78
|  o o=..+        |
|   . oo. =       |    SHA1 = 5c:ea:9f:23:09:b6:41:c9:7a:27:25:c8:65:73:bb:03:29:31:09:9d
|   .. o.o +      |
|   .o+. SO       |  SHA256 = SsFBckLI7Ysn7kW8z6SWdCtSW1QTKO8fGVv+OQJZjBE
|  o.=o+.* .      |
| . =o=oo o . .   |   SSHFP = 2 1 5CEA9F2309B641C97A2725C86573BB032931099D
|  o.==. . . +    |
| ..o..o    . .   |   SSHFP = 2 2 4AC1417242C8ED8B27EE45BCCFA496742B525B541328EF1F195BFE39 02598C11
+----[SHA256]-----+

+---[ECDSA 256]---+
|   .o.o+.+ +o.   |     MD5 = 85:72:6c:c6:02:b5:97:29:ab:7d:50:a2:66:e2:19:83
|   . o..+ =  .   |
|  .   +.o.E . .  |    SHA1 = 76:1f:da:ac:57:22:4a:2d:4a:7c:85:a6:b4:2b:ce:52:a9:a1:af:4c
|   .  .B.. . o   |
|    + .oS . o    |  SHA256 = /FWqFhWByak+WqejSsbmU1EJ4ZUIpD/2R6vUtBB8Tl4
|   o o.=++.+     |
|    =.oo=++      |   SSHFP = 3 1 761FDAAC57224A2D4A7C85A6B42BCE52A9A1AF4C
|   =...oo.       |
|    ooo. .       |   SSHFP = 3 2 FC55AA161581C9A93E5AA7A34AC6E6535109E19508A43FF647ABD4B4 107C4E5E
+----[SHA256]-----+

+---[RSA 2048]----+
|             .o=.|     MD5 = 48:ca:45:2d:93:94:17:07:7c:88:e1:93:ad:ba:76:c1
|            . .o*|
|            .o.*=|    SHA1 = ef:da:27:86:04:63:13:1f:60:5f:17:bd:13:fe:26:f9:9d:e9:b2:7f
|             oO B|
|        S o.++.++|  SHA256 = z5zlP0paA3dwxfz1qFyNM1YDPkX7XtmKWOJO0msjJwc
|        E* Xoo o.|
|        ..X * . .|   SSHFP = 1 1 EFDA27860463131F605F17BD13FE26F99DE9B27F
|        o+== o.  |
|         *+..... |   SSHFP = 1 2 CF9CE53F4A5A037770C5FCF5A85C8D3356033E45FB5ED98A58E24ED2 6B232707
+----[SHA256]-----+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXetRCAAoJEMiXXyBDyl0kRVwP/3PVngfaczKO8tEHc6RrcFF0
lpHSuQYHGZAaTPxBvOyWW0F/bke8Hrhe/wKW8ru0f20gyLH4Yf3b7pIqAkBkUK/o
373XvGln1gIAxsbTDnYrPObmN79uGQsbIL3oxi41eW3EexoCuf90wm+W/4VUoYGN
aY9pVFe8GKo4xaK0hO22ej6rsQE2OXGmun7cHF2A3WqfF8IG8xxDy3Y1akZU1RWc
ZxzBTqQ2S9z8koEREpwgnZK+0GXtjmEUB2pPpcE2FKO5LbHzuedd+/ekvQcVvxEl
2NipTyDmz+p95HmAag1CqZ3iIzlUHcUgkxtLPaud5AyofDQxq+NSyfllYIFnPxfg
pgIQ1i3vk+hfaaw0u1cr/x4iAygWS3UyvcloKXdFc23FnUoNHEIPc8L4Nco0UgTa
GEMFmXO223HdsuW0FpNKqYzhOAXg3P9VAR1VXJQTx0pueZc3vbY4T6GTVgxOomeZ
cvTjD6+faOL9CJBLf5rRstnveqLjivfOQEVgnFO9G+yBmGR72LR1yINd2eDTvX8t
d9qhwgADarJWe731vHrJdccK3mSlwSaUI95lDw33/DmrihD06Vt1e9tQfw5X/BNd
cWNQX3cv9VLv/lwXrgcPTBcoJVPI7vUZxF7d0jYxKenoPdZlQe+0ghfb0rFv3CjN
9+sp/tcjWH70YVZAfyOe
=W/Gh
-----END PGP SIGNATURE-----