Transition Technology: Ticket #901: Enable SSH access to PuffinServer for Ade

hours, totalhours changed

chris — Wed, 03 Feb 2016 13:50:15 GMT

hours changed from 0.0 to 0.45
totalhours changed from 0.0 to 0.45

Following the steps taken for Paul:

sudo -i
adduser ade --add_extra_groups sudo

Following this to convert SSH2 to OpenSSH:

cd /home/ade/
mkdir .ssh
chown ade:ade .ssh/
chmod 700 .ssh/
vi ssh2.pub
ssh-keygen -i -f ssh2.pub > /home/ade/.ssh/authorized_keys
chown ade:ade /home/ade/.ssh/authorized_keys
chmod 600 /home/ade/.ssh/authorized_keys

Ade: You should now be able to connect using these details:

Server: puffin.transitionnetwork.org
User: ade
Port: 22

Once you are in you need to type:

sudo -i

This will make you the root user, you need to do this as BOA has wrecked the ability of non-root users to do anything.

To get to the root of the website and list the files / directories:

cd /data/disk/tn/platforms/transitionnetwork.org/
ls -lah

To login to MySQL to see the database:

mysql transitionnetw_0

Once you have done that you can use the usual MySQL commands, eg:

MariaDB [transitionnetw_0]> SHOW tables;
MariaDB [transitionnetw_0]> DESCRIBE content_field_initiative;

If you want a dump of the whole database you might as well take the last backup copy (to save dumping a new copy, the backup is created at 1am each day), this is /var/backups/mysql/sqldump/transitionnetw_0.sql

If you need further help feel free to ask and please don't break anything :-)

PS I hope you used a passphrase to protect your ssh key pair when you generated it.

hours, totalhours changed

chris — Wed, 03 Feb 2016 14:31:01 GMT

hours changed from 0.0 to 0.1
totalhours changed from 0.45 to 0.55

Ade, I see you got in OK:

tail -f /var/log/auth.log | grep ade
Feb  3 14:22:13 puffin sshd[26032]: Accepted publickey for ade from XXX.XXX.XXX.XXX port 59842 ssh2
Feb  3 14:22:13 puffin sshd[26032]: pam_unix(sshd:session): session opened for user ade by (uid=0)
Feb  3 14:22:58 puffin sudo:      ade : TTY=pts/3 ; PWD=/home/ade ; USER=root ; COMMAND=/bin/bash
Feb  3 14:22:58 puffin sudo: pam_unix(sudo:session): session opened for user root by ade(uid=0)
Feb  3 14:26:48 puffin sshd[28029]: Accepted publickey for ade from XXX.XXX.XXX.XXX port 59860 ssh2
Feb  3 14:26:48 puffin sshd[28029]: pam_unix(sshd:session): session opened for user ade by (uid=0)
Feb  3 14:26:48 puffin sshd[28037]: subsystem request for sftp by user ade

I don't know how much joy you will have with SFTP as user ade, best use user tn.ftp for SFTP, I have added your public key to that account:

cat /home/ade/.ssh/authorized_keys >> /home/tn.ftp/.ssh/authorized_keys

ade — Wed, 03 Feb 2016 14:35:05 GMT

Hi Chris,
many thanks for that am in and have been let loose.
However, on login in via SFTP using key I get in, but only have access to
the .SSH key folder?
I don't want to start playing with folder settings via SSH so could I
request that you do this for me so that I can gain SFTP access to the
 /data/disk/tn/platforms/transitionnetwork.org/ folder?
many thanks
Ade
On 3 February 2016 at 13:50, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:
> #901: Enable SSH access to PuffinServer for Ade
> -------------------------------------+-------------------------------------
>            Reporter:  chris          |                      Owner:  chris
>                Type:  maintenance    |                     Status:  new
>            Priority:  major          |                  Milestone:
>           Component:  Live server    |  Maintenance
>            Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0.45           |  Estimated Number of Hours:  0.0
>         Total Hours:  0              |                  Billable?:  1
> -------------------------------------+-------------------------------------
> Changes (by chris):
>
>  * hours:  0.0 => 0.45
>  * totalhours:  0.0 => 0.45
>
>
> Comment:
>
>  Following the steps taken [ticket:682#comment:1 for Paul]:
>
>  {{{
>  sudo -i
>  adduser ade --add_extra_groups sudo
>  }}}
>
>  Following [https://unix.stackexchange.com/a/84122 this to convert SSH2 to
>  OpenSSH]:
>
>  {{{
>  cd /home/ade/
>  mkdir .ssh
>  chown ade:ade .ssh/
>  chmod 700 .ssh/
>  vi ssh2.pub
>  ssh-keygen -i -f ssh2.pub > /home/ade/.ssh/authorized_keys
>  chown ade:ade /home/ade/.ssh/authorized_keys
>  chmod 600 /home/ade/.ssh/authorized_keys
>  }}}
>
>  Ade: You should now be able to connect using these details:
>
>  * '''Server:''' puffin.transitionnetwork.org
>  * '''User:''' ade
>  * '''Port:''' 22
>
>  Once you are in you need to type:
>
>  {{{
>  sudo -i
>  }}}
>
>  This will make you the `root` user, you need to do this as BOA has wrecked
>  the ability of non-root users to do anything.
>
>  To get to the root of the website and list the files / directories:
>
>  {{{
>  cd /data/disk/tn/platforms/transitionnetwork.org/
>  ls -lah
>  }}}
>
>  To login to MySQL to see the database:
>
>  {{{
>  mysql transitionnetw_0
>  }}}
>
>  Once you have done that you can use the usual MySQL commands, eg:
>
>  {{{
>  MariaDB [transitionnetw_0]> SHOW tables;
>
>  MariaDB [transitionnetw_0]> DESCRIBE content_field_initiative;
>  }}}
>
>  If you want a dump of the whole database you might as well take the last
>  backup copy (to save dumping a new copy, the backup is created at 1am each
>  day), this is `/var/backups/mysql/sqldump/transitionnetw_0.sql`
>
>  If you need further help feel free to ask and please don't break anything
>  :-)
>
>  PS I hope you used a passphrase to protect your ssh key pair when you
>  generated it.
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/901#comment:1>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675

chris — Wed, 03 Feb 2016 14:38:45 GMT

Ade, our email just crossed, see ticket:901#comment:2 -- if you use tn.ftp as the username you should find SFTP is working OK, it doesn't work for the user ade due to BOA, intentionally, basically wrecking all non-root accounts as a security "feature"...

ade — Wed, 03 Feb 2016 14:40:03 GMT

many thanks for that Chris,
Tried using tn.ftp account and get an error saying 'Received unexpected
end-of-file from SFTP server'
any thoughts?
On 3 February 2016 at 14:38, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:
> #901: Enable SSH access to PuffinServer for Ade
> -------------------------------------+-------------------------------------
>            Reporter:  chris          |                      Owner:  chris
>                Type:  maintenance    |                     Status:  new
>            Priority:  major          |                  Milestone:
>           Component:  Live server    |  Maintenance
>            Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0              |  Estimated Number of Hours:  0.0
>         Total Hours:  0.55           |                  Billable?:  1
> -------------------------------------+-------------------------------------
>
> Comment (by chris):
>
>  Ade, our email just crossed, see ticket:901#comment:2 -- if you use
>  `tn.ftp` as the username you should find SFTP is working OK, it doesn't
>  work for the user `ade` due to BOA, intentionally,  basically wrecking all
>  non-root accounts as a security "feature"...
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/901#comment:4>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675

ade — Wed, 03 Feb 2016 14:55:03 GMT

Hi Chris,
Appears if I try to login via ssh using the tn.ftp user, its has an aged
password and is asking me to reset. Think you may want to do this and keep
a note of it.
A
On 3 February 2016 at 14:40, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:
> #901: Enable SSH access to PuffinServer for Ade
> -------------------------------------+-------------------------------------
>            Reporter:  chris          |                      Owner:  chris
>                Type:  maintenance    |                     Status:  new
>            Priority:  major          |                  Milestone:
>           Component:  Live server    |  Maintenance
>            Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0              |  Estimated Number of Hours:  0.0
>         Total Hours:  0.55           |                  Billable?:  1
> -------------------------------------+-------------------------------------
>
> Comment (by ade):
>
>  {{{
>  many thanks for that Chris,
>  Tried using tn.ftp account and get an error saying 'Received unexpected
>  end-of-file from SFTP server'
>
>  any thoughts?
>
>  On 3 February 2016 at 14:38, Transition Technology Trac <
>  trac@tech.transitionnetwork.org> wrote:
>
>  > #901: Enable SSH access to PuffinServer for Ade
>  >
>
>  -------------------------------------+-------------------------------------
>  >            Reporter:  chris          |                      Owner:
>  chris
>  >                Type:  maintenance    |                     Status:  new
>  >            Priority:  major          |                  Milestone:
>  >           Component:  Live server    |  Maintenance
>  >            Keywords:                 |                 Resolution:
>  > Add Hours to Ticket:  0              |  Estimated Number of Hours:  0.0
>  >         Total Hours:  0.55           |                  Billable?:  1
>  >
>
>  -------------------------------------+-------------------------------------
>  >
>  > Comment (by chris):
>  >
>  >  Ade, our email just crossed, see ticket:901#comment:2 -- if you use
>  >  `tn.ftp` as the username you should find SFTP is working OK, it doesn't
>  >  work for the user `ade` due to BOA, intentionally,  basically wrecking
>  all
>  >  non-root accounts as a security "feature"...
>  >
>  > --
>  > Ticket URL:
>  <https://tech.transitionnetwork.org/trac/ticket/901#comment:4>
>  > Transition Technology <https://tech.transitionnetwork.org/trac>
>  > Support and issues tracking for the Transition Network Web Project.
>  >
>
>
>
>  --
>  Ade Stuart
>  Web Manager - Transition network
>
>  07595 331877
>
>  The Transition Network is a registered charity
>  address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
>  website: www.transitionnetwork.org
>  TN company no: 6135675 TN charity no: 1128675
>
>  }}}
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/901#comment:5>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675

hours, totalhours changed

chris — Wed, 03 Feb 2016 14:59:06 GMT

hours changed from 0.0 to 0.1
totalhours changed from 0.55 to 0.65

It doesn't work for me either, looks like it might be due to the shell:

grep tn.ftp /etc/passwd
tn.ftp:x:999:100::/home/tn.ftp:/usr/bin/mysecureshell
su - tn.ftp
You are required to change your password immediately (password aged)
su: Authentication token is no longer valid; new one required
(Ignored)
      ======== Welcome to the Aegir, Drush and Compass Shell ========
         Type '?' or 'help' to get the list of allowed commands
             Note that not all Drush commands are available
       Use RVM and Bundler to manage all your Compass gems! Example:
             `rvm all do gem install --conservative compass`
       To install RVM use control file and re-login after 15 minutes
                 `touch ~/static/control/compass.info`

So, I have reset it and now SFTP works for me.

passwd tn.ftp
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

From work:

sftp tn.ftp@puffin.transitionnetwork.org
Host key fingerprint is 92:19:87:53:08:38:d9:de:c3:a1:d3:97:75:bf:83:2c
+---[RSA 2048]----+
|   +.. ..        |
|  + . oo  . .    |
|   o =+..o . .   |
|    + =*o     .  |
|     .+oS  . . . |
|       .  E o o  |
|           .   . |
|                 |
|                 |
+-----------------+
Connected to puffin.transitionnetwork.org.
sftp> ls
backups    clients    platforms  static     users
sftp>

SSHFS also works:

mkdir puffin
sshfs tn.ftp@puffin.transitionnetwork.org: puffin/
ls puffin/
backups  clients  platforms  static  users

Try again?

chris — Wed, 03 Feb 2016 15:00:24 GMT

Replying to ade:

Appears if I try to login via ssh using the tn.ftp user, its has an aged password and is asking me to reset. Think you may want to do this and keep a note of it.

Yes that was the issue, our emails crossed again, I have set it to a random one, no need to keep it since we are using keys and we can reset it as the root user at any time as needs be.

ade — Wed, 03 Feb 2016 15:05:04 GMT

awesome, many thanks for this Chris.
Will let you know or contact paul if all is not obvious.
cheers again
A
On 3 February 2016 at 15:00, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:
> #901: Enable SSH access to PuffinServer for Ade
> -------------------------------------+-------------------------------------
>            Reporter:  chris          |                      Owner:  chris
>                Type:  maintenance    |                     Status:  new
>            Priority:  major          |                  Milestone:
>           Component:  Live server    |  Maintenance
>            Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0              |  Estimated Number of Hours:  0.0
>         Total Hours:  0.65           |                  Billable?:  1
> -------------------------------------+-------------------------------------
>
> Comment (by chris):
>
>  Replying to [comment:6 ade]:
>  >
>  > Appears if I try to login via ssh using the tn.ftp user, its has an aged
>  > password and is asking me to reset. Think you may want to do this and
>  keep
>  > a note of it.
>
>  Yes that was the issue, our emails crossed again, I have set it to a
>  random one, no need to keep it since we are using keys and we can reset it
>  as the root user at any time as needs be.
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/901#comment:8>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675

ade — Thu, 04 Feb 2016 11:35:05 GMT

Hi Chris,
It appears I have broken the 3 errors and our out rule...And it told me it
was going to tell tales after each rule been broken!
It doesn't seem to like  cd
/data/disk/tn/platforms/transitionnetwork.org/ which
was weird as this was one you recommended. Anyways not a biggy, but you
will be receiving or have received tales of woe from your server....
Not often I get told that I'm being snitched on by a server and then logged
out!
Onwards and upwards
A
On 3 February 2016 at 15:05, Transition Technology Trac <
trac@tech.transitionnetwork.org> wrote:
> #901: Enable SSH access to PuffinServer for Ade
> -------------------------------------+-------------------------------------
>            Reporter:  chris          |                      Owner:  chris
>                Type:  maintenance    |                     Status:  new
>            Priority:  major          |                  Milestone:
>           Component:  Live server    |  Maintenance
>            Keywords:                 |                 Resolution:
> Add Hours to Ticket:  0              |  Estimated Number of Hours:  0.0
>         Total Hours:  0.65           |                  Billable?:  1
> -------------------------------------+-------------------------------------
>
> Comment (by ade):
>
>  {{{
>  awesome, many thanks for this Chris.
>
>  Will let you know or contact paul if all is not obvious.
>
>  cheers again
>  A
>
>  On 3 February 2016 at 15:00, Transition Technology Trac <
>  trac@tech.transitionnetwork.org> wrote:
>
>  > #901: Enable SSH access to PuffinServer for Ade
>  >
>
>  -------------------------------------+-------------------------------------
>  >            Reporter:  chris          |                      Owner:
>  chris
>  >                Type:  maintenance    |                     Status:  new
>  >            Priority:  major          |                  Milestone:
>  >           Component:  Live server    |  Maintenance
>  >            Keywords:                 |                 Resolution:
>  > Add Hours to Ticket:  0              |  Estimated Number of Hours:  0.0
>  >         Total Hours:  0.65           |                  Billable?:  1
>  >
>
>  -------------------------------------+-------------------------------------
>  >
>  > Comment (by chris):
>  >
>  >  Replying to [comment:6 ade]:
>  >  >
>  >  > Appears if I try to login via ssh using the tn.ftp user, its has an
>  aged
>  >  > password and is asking me to reset. Think you may want to do this and
>  >  keep
>  >  > a note of it.
>  >
>  >  Yes that was the issue, our emails crossed again, I have set it to a
>  >  random one, no need to keep it since we are using keys and we can reset
>  it
>  >  as the root user at any time as needs be.
>  >
>  > --
>  > Ticket URL:
>  <https://tech.transitionnetwork.org/trac/ticket/901#comment:8>
>  > Transition Technology <https://tech.transitionnetwork.org/trac>
>  > Support and issues tracking for the Transition Network Web Project.
>  >
>
>
>
>  --
>  Ade Stuart
>  Web Manager - Transition network
>
>  07595 331877
>
>  The Transition Network is a registered charity
>  address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
>  website: www.transitionnetwork.org
>  TN company no: 6135675 TN charity no: 1128675
>
>  }}}
>
> --
> Ticket URL: <https://tech.transitionnetwork.org/trac/ticket/901#comment:9>
> Transition Technology <https://tech.transitionnetwork.org/trac>
> Support and issues tracking for the Transition Network Web Project.
>
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675

hours, totalhours changed

chris — Thu, 04 Feb 2016 12:08:06 GMT

hours changed from 0.0 to 0.3
totalhours changed from 0.65 to 0.95

Replying to ade:

It appears I have broken the 3 errors and our out rule...And it told me it was going to tell tales after each rule been broken!

I did get a lfd email alert earlier to say you has logged in, following PuffinServer#Falsepositives I have checked that your IP hasn't been blocked -- it hasn't.

It doesn't seem to like cd /data/disk/tn/platforms/transitionnetwork.org/ which was weird as this was one you recommended.

I expect that the shell that BOA has configured for this user:

grep tn.ftp /etc/passwd
tn.ftp:x:999:100::/home/tn.ftp:/usr/bin/mysecureshell

Has a chroot or something like that. According to the docs the config is in /etc/ssh/sftp_config and that contains:

<Default>
  GlobalDownload         0
  GlobalUpload           0
  Download               0
  Upload                 0
  StayAtHome             true
  VirtualChroot          true
  LimitConnection        0
  LimitConnectionByUser  5
  LimitConnectionByIP    5
  Home                   /home/$USER
  IdleTimeOut            15m
  ResolveIP              false
  IgnoreHidden           true
  HideNoAccess           true
  DefaultRights          0664 0775
  MinimumRights          0664 0775
</Default>
<Group lshellg>
  Shell                  /usr/bin/lshell
</Group>

So that means when you login you are restricted to /home/tn.ftp and that directory contains some symlinks to things:

cd /home/tn.ftp/
ls -lah
total 52K
drwx------  9 tn.ftp users 4.0K Dec  4 19:04 ./
drwx--x--x 15 root   root  4.0K Feb  3 13:30 ../
-rw-------  1 tn.ftp users  321 Jun 30  2014 .bash_history
drwx------  2 tn.ftp users 4.0K Apr  7  2013 .bazaar/
-rw-rw-r--  1 tn.ftp users 4.5K May 31  2013 .bzr.log
drwxr-sr-x  3 tn.ftp users 4.0K Dec  4 19:05 .drush/
-rw-rw-r--  1 tn.ftp users 1.8K Feb  4 11:24 .lhistory
drwx------  2 tn.ftp users 4.0K Feb  3 14:41 .ssh/
drwxrwxr-x  3 tn.ftp users 4.0K May 29  2013 .subversion/
drwxr-sr-x  3 tn.ftp users 4.0K Dec 23 03:00 .tmp/
lrwxrwxrwx  1 root   root    21 Dec 15  2012 backups -> /data/disk/tn/backups/
lrwxrwxrwx  1 root   root    21 Dec 15  2012 clients -> /data/disk/tn/clients/
drwxr-xr-x  7 tn     users 4.0K Dec 23 03:00 platforms/
lrwxrwxrwx  1 root   root    20 Dec 15  2012 static -> /data/disk/tn/static/
drwx------  2 tn.ftp users 4.0K Aug  4  2015 users/

And looking at the clients symlink:

ls -lah /data/disk/tn/clients/tnusers/
total 28K
drwxr-x--- 2 tn users 4.0K Jun 18  2015 ./
drwxr-x--- 4 tn users 4.0K May  1  2015 ../
lrwxrwxrwx 1 tn users  113 Mar 19  2015 booker-stage-20150319.news.transitionnetwork.org -> /data/disk/tn/static/transition-network-d6-35-s001b-booker/sites/booker-stage-20150319.news.transitionnetwork.org/
lrwxrwxrwx 1 tn users  108 Jun 18  2015 booker-stage-20150319.transitionnetwork.org -> /data/disk/tn/static/transition-network-d6-35-s001b-booker/sites/booker-stage-20150319.transitionnetwork.org/
lrwxrwxrwx 1 tn users  103 Jun 18  2015 booker-stage-sam.transitionnetwork.org -> /data/disk/tn/static/transition-network-d6-35-s001b-booker/sites/booker-stage-sam.transitionnetwork.org/
lrwxrwxrwx 1 tn users   91 Mar 19  2015 news.transitionnetwork.org -> /data/disk/tn/static/transition-network-d6-35-p001b-booker/sites/news.transitionnetwork.org/
lrwxrwxrwx 1 tn users   29 Jan 16  2014 tnusers -> /data/disk/tn/clients/tnusers/
lrwxrwxrwx 1 tn users   90 Mar 19  2015 www.transitionnetwork.org -> /data/disk/tn/static/transition-network-d6-35-p001b-booker/sites/www.transitionnetwork.org/

There are links to dev versions of the site but not the live site. I'm afraid I have no idea how BOA creates or manages these symlinks, I have manually created a new one:

cd /home/tn.ftp
ln -s /data/disk/tn/platforms/transitionnetwork.org

So you should now be able to get to the live site:

sftp tn.ftp@puffin.transitionnetwork.org
Host key fingerprint is 92:19:87:53:08:38:d9:de:c3:a1:d3:97:75:bf:83:2c
+---[RSA 2048]----+
|   +.. ..        |
|  + . oo  . .    |
|   o =+..o . .   |
|    + =*o     .  |
|     .+oS  . . . |
|       .  E o o  |
|           .   . |
|                 |
|                 |
+-----------------+
Connected to puffin.transitionnetwork.org.
sftp> cd transitionnetwork.org/
sftp> ls
CHANGELOG.txt                   COPYRIGHT.txt                   INSTALL.mysql.txt               INSTALL.pgsql.txt
INSTALL.txt                     LICENSE.txt                     MAINTAINERS.txt                 UPGRADE.txt
cron.php                        includes                        index.php                       install.php
misc                            modules                         profiles                        robots.txt
scripts                         sites                           themes                          transitionnetwork.org-d6.make
update.php
sftp>

Anyways not a biggy, but you will be receiving or have received tales of woe from your server.... Not often I get told that I'm being snitched on by a server and then logged out!

I haven't had any alerts other than the login one.