Ticket #901 (new maintenance)
Enable SSH access to PuffinServer for Ade
| Reported by: | chris | Owned by: | chris |
|---|---|---|---|
| Priority: | major | Milestone: | Maintenance |
| Component: | Live server | Keywords: | |
| Cc: | ade | Estimated Number of Hours: | 0.0 |
| Add Hours to Ticket: | 0 | Billable?: | yes |
| Total Hours: | 0.95 |
Description
This is a ticket to track the time spent sorting out SSH access for Ade to PuffinServer.
Change History
comment:1 Changed 10 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.45
- Total Hours changed from 0.0 to 0.45
comment:2 Changed 10 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 0.45 to 0.55
Ade, I see you got in OK:
tail -f /var/log/auth.log | grep ade Feb 3 14:22:13 puffin sshd[26032]: Accepted publickey for ade from XXX.XXX.XXX.XXX port 59842 ssh2 Feb 3 14:22:13 puffin sshd[26032]: pam_unix(sshd:session): session opened for user ade by (uid=0) Feb 3 14:22:58 puffin sudo: ade : TTY=pts/3 ; PWD=/home/ade ; USER=root ; COMMAND=/bin/bash Feb 3 14:22:58 puffin sudo: pam_unix(sudo:session): session opened for user root by ade(uid=0) Feb 3 14:26:48 puffin sshd[28029]: Accepted publickey for ade from XXX.XXX.XXX.XXX port 59860 ssh2 Feb 3 14:26:48 puffin sshd[28029]: pam_unix(sshd:session): session opened for user ade by (uid=0) Feb 3 14:26:48 puffin sshd[28037]: subsystem request for sftp by user ade
I don't know how much joy you will have with SFTP as user ade, best use user tn.ftp for SFTP, I have added your public key to that account:
cat /home/ade/.ssh/authorized_keys >> /home/tn.ftp/.ssh/authorized_keys
comment:3 Changed 10 months ago by ade
Hi Chris,
many thanks for that am in and have been let loose.
However, on login in via SFTP using key I get in, but only have access to
the .SSH key folder?
I don't want to start playing with folder settings via SSH so could I
request that you do this for me so that I can gain SFTP access to the
/data/disk/tn/platforms/transitionnetwork.org/ folder?
many thanks
Ade
On 3 February 2016 at 13:50, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:
> #901: Enable SSH access to PuffinServer for Ade
> -------------------------------------+-------------------------------------
> Reporter: chris | Owner: chris
> Type: maintenance | Status: new
> Priority: major | Milestone:
> Component: Live server | Maintenance
> Keywords: | Resolution:
> Add Hours to Ticket: 0.45 | Estimated Number of Hours: 0.0
> Total Hours: 0 | Billable?: 1
> -------------------------------------+-------------------------------------
> Changes (by chris):
>
> * hours: 0.0 => 0.45
> * totalhours: 0.0 => 0.45
>
>
> Comment:
>
> Following the steps taken [ticket:682#comment:1 for Paul]:
>
> {{{
> sudo -i
> adduser ade --add_extra_groups sudo
> }}}
>
> Following [https://unix.stackexchange.com/a/84122 this to convert SSH2 to
> OpenSSH]:
>
> {{{
> cd /home/ade/
> mkdir .ssh
> chown ade:ade .ssh/
> chmod 700 .ssh/
> vi ssh2.pub
> ssh-keygen -i -f ssh2.pub > /home/ade/.ssh/authorized_keys
> chown ade:ade /home/ade/.ssh/authorized_keys
> chmod 600 /home/ade/.ssh/authorized_keys
> }}}
>
> Ade: You should now be able to connect using these details:
>
> * '''Server:''' puffin.transitionnetwork.org
> * '''User:''' ade
> * '''Port:''' 22
>
> Once you are in you need to type:
>
> {{{
> sudo -i
> }}}
>
> This will make you the `root` user, you need to do this as BOA has wrecked
> the ability of non-root users to do anything.
>
> To get to the root of the website and list the files / directories:
>
> {{{
> cd /data/disk/tn/platforms/transitionnetwork.org/
> ls -lah
> }}}
>
> To login to MySQL to see the database:
>
> {{{
> mysql transitionnetw_0
> }}}
>
> Once you have done that you can use the usual MySQL commands, eg:
>
> {{{
> MariaDB [transitionnetw_0]> SHOW tables;
>
> MariaDB [transitionnetw_0]> DESCRIBE content_field_initiative;
> }}}
>
> If you want a dump of the whole database you might as well take the last
> backup copy (to save dumping a new copy, the backup is created at 1am each
> day), this is `/var/backups/mysql/sqldump/transitionnetw_0.sql`
>
> If you need further help feel free to ask and please don't break anything
> :-)
>
> PS I hope you used a passphrase to protect your ssh key pair when you
> generated it.
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/901#comment:1>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675
comment:4 Changed 10 months ago by chris
Ade, our email just crossed, see ticket:901#comment:2 -- if you use tn.ftp as the username you should find SFTP is working OK, it doesn't work for the user ade due to BOA, intentionally, basically wrecking all non-root accounts as a security "feature"...
comment:5 Changed 10 months ago by ade
many thanks for that Chris, Tried using tn.ftp account and get an error saying 'Received unexpected end-of-file from SFTP server' any thoughts? On 3 February 2016 at 14:38, Transition Technology Trac < trac@tech.transitionnetwork.org> wrote: > #901: Enable SSH access to PuffinServer for Ade > -------------------------------------+------------------------------------- > Reporter: chris | Owner: chris > Type: maintenance | Status: new > Priority: major | Milestone: > Component: Live server | Maintenance > Keywords: | Resolution: > Add Hours to Ticket: 0 | Estimated Number of Hours: 0.0 > Total Hours: 0.55 | Billable?: 1 > -------------------------------------+------------------------------------- > > Comment (by chris): > > Ade, our email just crossed, see ticket:901#comment:2 -- if you use > `tn.ftp` as the username you should find SFTP is working OK, it doesn't > work for the user `ade` due to BOA, intentionally, basically wrecking all > non-root accounts as a security "feature"... > > -- > Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/901#comment:4> > Transition Technology <https://tech.transitionnetwork.org/trac> > Support and issues tracking for the Transition Network Web Project. > -- Ade Stuart Web Manager - Transition network 07595 331877 The Transition Network is a registered charity address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK website: www.transitionnetwork.org TN company no: 6135675 TN charity no: 1128675
comment:6 follow-up: ↓ 8 Changed 10 months ago by ade
Hi Chris,
Appears if I try to login via ssh using the tn.ftp user, its has an aged
password and is asking me to reset. Think you may want to do this and keep
a note of it.
A
On 3 February 2016 at 14:40, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:
> #901: Enable SSH access to PuffinServer for Ade
> -------------------------------------+-------------------------------------
> Reporter: chris | Owner: chris
> Type: maintenance | Status: new
> Priority: major | Milestone:
> Component: Live server | Maintenance
> Keywords: | Resolution:
> Add Hours to Ticket: 0 | Estimated Number of Hours: 0.0
> Total Hours: 0.55 | Billable?: 1
> -------------------------------------+-------------------------------------
>
> Comment (by ade):
>
> {{{
> many thanks for that Chris,
> Tried using tn.ftp account and get an error saying 'Received unexpected
> end-of-file from SFTP server'
>
> any thoughts?
>
> On 3 February 2016 at 14:38, Transition Technology Trac <
> trac@tech.transitionnetwork.org> wrote:
>
> > #901: Enable SSH access to PuffinServer for Ade
> >
>
> -------------------------------------+-------------------------------------
> > Reporter: chris | Owner:
> chris
> > Type: maintenance | Status: new
> > Priority: major | Milestone:
> > Component: Live server | Maintenance
> > Keywords: | Resolution:
> > Add Hours to Ticket: 0 | Estimated Number of Hours: 0.0
> > Total Hours: 0.55 | Billable?: 1
> >
>
> -------------------------------------+-------------------------------------
> >
> > Comment (by chris):
> >
> > Ade, our email just crossed, see ticket:901#comment:2 -- if you use
> > `tn.ftp` as the username you should find SFTP is working OK, it doesn't
> > work for the user `ade` due to BOA, intentionally, basically wrecking
> all
> > non-root accounts as a security "feature"...
> >
> > --
> > Ticket URL:
> <https://tech.transitionnetwork.org/trac/ticket/901#comment:4>
> > Transition Technology <https://tech.transitionnetwork.org/trac>
> > Support and issues tracking for the Transition Network Web Project.
> >
>
>
>
> --
> Ade Stuart
> Web Manager - Transition network
>
> 07595 331877
>
> The Transition Network is a registered charity
> address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
> website: www.transitionnetwork.org
> TN company no: 6135675 TN charity no: 1128675
>
> }}}
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/901#comment:5>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675
comment:7 Changed 10 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.1
- Total Hours changed from 0.55 to 0.65
It doesn't work for me either, looks like it might be due to the shell:
grep tn.ftp /etc/passwd
tn.ftp:x:999:100::/home/tn.ftp:/usr/bin/mysecureshell
su - tn.ftp
You are required to change your password immediately (password aged)
su: Authentication token is no longer valid; new one required
(Ignored)
======== Welcome to the Aegir, Drush and Compass Shell ========
Type '?' or 'help' to get the list of allowed commands
Note that not all Drush commands are available
Use RVM and Bundler to manage all your Compass gems! Example:
`rvm all do gem install --conservative compass`
To install RVM use control file and re-login after 15 minutes
`touch ~/static/control/compass.info`
So, I have reset it and now SFTP works for me.
passwd tn.ftp Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully
From work:
sftp tn.ftp@puffin.transitionnetwork.org Host key fingerprint is 92:19:87:53:08:38:d9:de:c3:a1:d3:97:75:bf:83:2c +---[RSA 2048]----+ | +.. .. | | + . oo . . | | o =+..o . . | | + =*o . | | .+oS . . . | | . E o o | | . . | | | | | +-----------------+ Connected to puffin.transitionnetwork.org. sftp> ls backups clients platforms static users sftp>
SSHFS also works:
mkdir puffin sshfs tn.ftp@puffin.transitionnetwork.org: puffin/ ls puffin/ backups clients platforms static users
Try again?
comment:8 in reply to: ↑ 6 Changed 10 months ago by chris
Replying to ade:
Appears if I try to login via ssh using the tn.ftp user, its has an aged
password and is asking me to reset. Think you may want to do this and keep
a note of it.
Yes that was the issue, our emails crossed again, I have set it to a random one, no need to keep it since we are using keys and we can reset it as the root user at any time as needs be.
comment:9 Changed 10 months ago by ade
awesome, many thanks for this Chris. Will let you know or contact paul if all is not obvious. cheers again A On 3 February 2016 at 15:00, Transition Technology Trac < trac@tech.transitionnetwork.org> wrote: > #901: Enable SSH access to PuffinServer for Ade > -------------------------------------+------------------------------------- > Reporter: chris | Owner: chris > Type: maintenance | Status: new > Priority: major | Milestone: > Component: Live server | Maintenance > Keywords: | Resolution: > Add Hours to Ticket: 0 | Estimated Number of Hours: 0.0 > Total Hours: 0.65 | Billable?: 1 > -------------------------------------+------------------------------------- > > Comment (by chris): > > Replying to [comment:6 ade]: > > > > Appears if I try to login via ssh using the tn.ftp user, its has an aged > > password and is asking me to reset. Think you may want to do this and > keep > > a note of it. > > Yes that was the issue, our emails crossed again, I have set it to a > random one, no need to keep it since we are using keys and we can reset it > as the root user at any time as needs be. > > -- > Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/901#comment:8> > Transition Technology <https://tech.transitionnetwork.org/trac> > Support and issues tracking for the Transition Network Web Project. > -- Ade Stuart Web Manager - Transition network 07595 331877 The Transition Network is a registered charity address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK website: www.transitionnetwork.org TN company no: 6135675 TN charity no: 1128675
comment:10 follow-up: ↓ 11 Changed 10 months ago by ade
Hi Chris,
It appears I have broken the 3 errors and our out rule...And it told me it
was going to tell tales after each rule been broken!
It doesn't seem to like cd
/data/disk/tn/platforms/transitionnetwork.org/ which
was weird as this was one you recommended. Anyways not a biggy, but you
will be receiving or have received tales of woe from your server....
Not often I get told that I'm being snitched on by a server and then logged
out!
Onwards and upwards
A
On 3 February 2016 at 15:05, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:
> #901: Enable SSH access to PuffinServer for Ade
> -------------------------------------+-------------------------------------
> Reporter: chris | Owner: chris
> Type: maintenance | Status: new
> Priority: major | Milestone:
> Component: Live server | Maintenance
> Keywords: | Resolution:
> Add Hours to Ticket: 0 | Estimated Number of Hours: 0.0
> Total Hours: 0.65 | Billable?: 1
> -------------------------------------+-------------------------------------
>
> Comment (by ade):
>
> {{{
> awesome, many thanks for this Chris.
>
> Will let you know or contact paul if all is not obvious.
>
> cheers again
> A
>
> On 3 February 2016 at 15:00, Transition Technology Trac <
> trac@tech.transitionnetwork.org> wrote:
>
> > #901: Enable SSH access to PuffinServer for Ade
> >
>
> -------------------------------------+-------------------------------------
> > Reporter: chris | Owner:
> chris
> > Type: maintenance | Status: new
> > Priority: major | Milestone:
> > Component: Live server | Maintenance
> > Keywords: | Resolution:
> > Add Hours to Ticket: 0 | Estimated Number of Hours: 0.0
> > Total Hours: 0.65 | Billable?: 1
> >
>
> -------------------------------------+-------------------------------------
> >
> > Comment (by chris):
> >
> > Replying to [comment:6 ade]:
> > >
> > > Appears if I try to login via ssh using the tn.ftp user, its has an
> aged
> > > password and is asking me to reset. Think you may want to do this and
> > keep
> > > a note of it.
> >
> > Yes that was the issue, our emails crossed again, I have set it to a
> > random one, no need to keep it since we are using keys and we can reset
> it
> > as the root user at any time as needs be.
> >
> > --
> > Ticket URL:
> <https://tech.transitionnetwork.org/trac/ticket/901#comment:8>
> > Transition Technology <https://tech.transitionnetwork.org/trac>
> > Support and issues tracking for the Transition Network Web Project.
> >
>
>
>
> --
> Ade Stuart
> Web Manager - Transition network
>
> 07595 331877
>
> The Transition Network is a registered charity
> address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
> website: www.transitionnetwork.org
> TN company no: 6135675 TN charity no: 1128675
>
> }}}
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/901#comment:9>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675
comment:11 in reply to: ↑ 10 Changed 10 months ago by chris
- Add Hours to Ticket changed from 0.0 to 0.3
- Total Hours changed from 0.65 to 0.95
Replying to ade:
It appears I have broken the 3 errors and our out rule...And it told me it
was going to tell tales after each rule been broken!
I did get a lfd email alert earlier to say you has logged in, following PuffinServer#Falsepositives I have checked that your IP hasn't been blocked -- it hasn't.
It doesn't seem to like cd
/data/disk/tn/platforms/transitionnetwork.org/ which
was weird as this was one you recommended.
I expect that the shell that BOA has configured for this user:
grep tn.ftp /etc/passwd tn.ftp:x:999:100::/home/tn.ftp:/usr/bin/mysecureshell
Has a chroot or something like that. According to the docs the config is in /etc/ssh/sftp_config and that contains:
<Default> GlobalDownload 0 GlobalUpload 0 Download 0 Upload 0 StayAtHome true VirtualChroot true LimitConnection 0 LimitConnectionByUser 5 LimitConnectionByIP 5 Home /home/$USER IdleTimeOut 15m ResolveIP false IgnoreHidden true HideNoAccess true DefaultRights 0664 0775 MinimumRights 0664 0775 </Default> <Group lshellg> Shell /usr/bin/lshell </Group>
So that means when you login you are restricted to /home/tn.ftp and that directory contains some symlinks to things:
cd /home/tn.ftp/ ls -lah total 52K drwx------ 9 tn.ftp users 4.0K Dec 4 19:04 ./ drwx--x--x 15 root root 4.0K Feb 3 13:30 ../ -rw------- 1 tn.ftp users 321 Jun 30 2014 .bash_history drwx------ 2 tn.ftp users 4.0K Apr 7 2013 .bazaar/ -rw-rw-r-- 1 tn.ftp users 4.5K May 31 2013 .bzr.log drwxr-sr-x 3 tn.ftp users 4.0K Dec 4 19:05 .drush/ -rw-rw-r-- 1 tn.ftp users 1.8K Feb 4 11:24 .lhistory drwx------ 2 tn.ftp users 4.0K Feb 3 14:41 .ssh/ drwxrwxr-x 3 tn.ftp users 4.0K May 29 2013 .subversion/ drwxr-sr-x 3 tn.ftp users 4.0K Dec 23 03:00 .tmp/ lrwxrwxrwx 1 root root 21 Dec 15 2012 backups -> /data/disk/tn/backups/ lrwxrwxrwx 1 root root 21 Dec 15 2012 clients -> /data/disk/tn/clients/ drwxr-xr-x 7 tn users 4.0K Dec 23 03:00 platforms/ lrwxrwxrwx 1 root root 20 Dec 15 2012 static -> /data/disk/tn/static/ drwx------ 2 tn.ftp users 4.0K Aug 4 2015 users/
And looking at the clients symlink:
ls -lah /data/disk/tn/clients/tnusers/ total 28K drwxr-x--- 2 tn users 4.0K Jun 18 2015 ./ drwxr-x--- 4 tn users 4.0K May 1 2015 ../ lrwxrwxrwx 1 tn users 113 Mar 19 2015 booker-stage-20150319.news.transitionnetwork.org -> /data/disk/tn/static/transition-network-d6-35-s001b-booker/sites/booker-stage-20150319.news.transitionnetwork.org/ lrwxrwxrwx 1 tn users 108 Jun 18 2015 booker-stage-20150319.transitionnetwork.org -> /data/disk/tn/static/transition-network-d6-35-s001b-booker/sites/booker-stage-20150319.transitionnetwork.org/ lrwxrwxrwx 1 tn users 103 Jun 18 2015 booker-stage-sam.transitionnetwork.org -> /data/disk/tn/static/transition-network-d6-35-s001b-booker/sites/booker-stage-sam.transitionnetwork.org/ lrwxrwxrwx 1 tn users 91 Mar 19 2015 news.transitionnetwork.org -> /data/disk/tn/static/transition-network-d6-35-p001b-booker/sites/news.transitionnetwork.org/ lrwxrwxrwx 1 tn users 29 Jan 16 2014 tnusers -> /data/disk/tn/clients/tnusers/ lrwxrwxrwx 1 tn users 90 Mar 19 2015 www.transitionnetwork.org -> /data/disk/tn/static/transition-network-d6-35-p001b-booker/sites/www.transitionnetwork.org/
There are links to dev versions of the site but not the live site. I'm afraid I have no idea how BOA creates or manages these symlinks, I have manually created a new one:
cd /home/tn.ftp ln -s /data/disk/tn/platforms/transitionnetwork.org
So you should now be able to get to the live site:
sftp tn.ftp@puffin.transitionnetwork.org Host key fingerprint is 92:19:87:53:08:38:d9:de:c3:a1:d3:97:75:bf:83:2c +---[RSA 2048]----+ | +.. .. | | + . oo . . | | o =+..o . . | | + =*o . | | .+oS . . . | | . E o o | | . . | | | | | +-----------------+ Connected to puffin.transitionnetwork.org. sftp> cd transitionnetwork.org/ sftp> ls CHANGELOG.txt COPYRIGHT.txt INSTALL.mysql.txt INSTALL.pgsql.txt INSTALL.txt LICENSE.txt MAINTAINERS.txt UPGRADE.txt cron.php includes index.php install.php misc modules profiles robots.txt scripts sites themes transitionnetwork.org-d6.make update.php sftp>
Anyways not a biggy, but you
will be receiving or have received tales of woe from your server....
Not often I get told that I'm being snitched on by a server and then logged
out!
I haven't had any alerts other than the login one.
Note: See
TracTickets for help on using
tickets.
Following the steps taken for Paul:
Following this to convert SSH2 to OpenSSH:
Ade: You should now be able to connect using these details:
Once you are in you need to type:
This will make you the root user, you need to do this as BOA has wrecked the ability of non-root users to do anything.
To get to the root of the website and list the files / directories:
To login to MySQL to see the database:
Once you have done that you can use the usual MySQL commands, eg:
If you want a dump of the whole database you might as well take the last backup copy (to save dumping a new copy, the backup is created at 1am each day), this is /var/backups/mysql/sqldump/transitionnetw_0.sql
If you need further help feel free to ask and please don't break anything :-)
PS I hope you used a passphrase to protect your ssh key pair when you generated it.