Federated-Reserve / Operations

Operations related wikis, issues, and tools
1 stars 0 forks source link

Setup user accounts for each of us #5

Open chrislgarry opened 6 years ago

chrislgarry commented 6 years ago

Setup user accounts on each instance for each of us, rather than just "fed-admin" like we have.

In the future future, this can be done using software like Kerberos.

chrislgarry commented 6 years ago

@qimingfang is already on this.

qimingfang commented 6 years ago

i'm starting with accounts for singapore only, then replicating that in seoul once it works for everyone.

chrislgarry commented 6 years ago

I verified that the secret key I'm using produces the public key that's in the authorized_keys file for garry, but ssh authentication is failing:

Chriss-MacBook-Pro-2:Downloads cgarry$ ssh -i sin-bastion-garry.pem garry@13.250.30.83
Received disconnect from 13.250.30.83 port 22:2: Too many authentication failures
Authentication failed.

The only other thing I can think of is that garry doesnt have the proper permissions for .ssh folder. After creating the user, you should:

sudo su - newuser
mkdir .ssh
chmod 700 .ssh
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys

I figured out that you missed step three by checking the permissions:

[ec2-user@ip-10-0-1-229 ~]$ sudo su - garry
Last login: Thu Apr 26 05:44:11 UTC 2018 on pts/0
[garry@ip-10-0-1-229 ~]$ pwd
/home/garry
[garry@ip-10-0-1-229 ~]$ ls -lah
total 24K
drwx------ 3 garry garry  140 Apr 25 13:57 .
drwxr-xr-x 6 root  root    63 Apr 24 18:49 ..
-rw------- 1 garry garry  491 Apr 26 05:44 .bash_history
-rw-r--r-- 1 garry garry   18 Oct 24  2017 .bash_logout
-rw-r--r-- 1 garry garry  193 Oct 24  2017 .bash_profile
-rw-r--r-- 1 garry garry  231 Oct 24  2017 .bashrc
-r-------- 1 root  root   165 Apr 25 13:57 .google_authenticator
drwxrwxr-x 2 garry garry   43 Apr 25 12:52 .ssh
-rw------- 1 garry garry 1.2K Apr 25 12:41 .viminfo

[garry@ip-10-0-1-229 ~]$ chmod 700 .ssh/

[garry@ip-10-0-1-229 ~]$ ls -lah
total 24K
drwx------ 3 garry garry  140 Apr 25 13:57 .
drwxr-xr-x 6 root  root    63 Apr 24 18:49 ..
-rw------- 1 garry garry  491 Apr 26 05:44 .bash_history
-rw-r--r-- 1 garry garry   18 Oct 24  2017 .bash_logout
-rw-r--r-- 1 garry garry  193 Oct 24  2017 .bash_profile
-rw-r--r-- 1 garry garry  231 Oct 24  2017 .bashrc
-r-------- 1 root  root   165 Apr 25 13:57 .google_authenticator
drwx------ 2 garry garry   43 Apr 25 12:52 .ssh
-rw------- 1 garry garry 1.2K Apr 25 12:41 .viminfo
chrislgarry commented 6 years ago

Also need to fix owner permissions on .ssh/config:

[garry@ip-10-0-1-229 ~]$ ssh fed1
Bad owner or permissions on /home/garry/.ssh/config

[garry@ip-10-0-1-229 ~]$ cd .ssh/
[garry@ip-10-0-1-229 .ssh]$ ls -lah
total 8.0K
drwx------ 2 garry garry  43 Apr 25 12:52 .
drwx------ 3 garry garry 140 Apr 26 06:06 ..
-rw------- 1 garry garry 381 Apr 24 18:41 authorized_keys
-rw-rw-r-- 1 garry garry 117 Apr 25 12:52 config

[garry@ip-10-0-1-229 .ssh]$ chmod 600 config

And not forget to add key forwarding for the bastion to .ssh/config on your laptop:

Host sin-bastion
  Hostname ec2-13-250-30-83.ap-southeast-1.compute.amazonaws.com
  User garry
  ForwardAgent yes

so that the SSH private key is forwarded to the bastion, which is required to access fed1. Alternative is to store the ssh key on the server, but that is bad practice. Forwarding is better. Just want to explain here thoroughly for anyone reading, and for potential new comers.

qimingfang commented 6 years ago

Ah yes, you're right. we need the .ssh folder and the authorized_keys to have more permissions. Good catch