user account of off-campus collaborator

[hirokomatsui]

I'm trying to create an account for a collaborator outside of the campus. Is there any easy way to let them access via SFTP from off-campus.

[tatarsky]

We reduced SSH access to just campus per review last week.

Do you have perhaps a range of IP addresses that "off campus" represents less than "anywhere"?

Like even just the IP range of their campus Internet would be better than "any"

[hirokomatsui]

I'll ask them!

[tatarsky]

Otherwise we can open fl-hn2 to "any" again and rely on the fail2ban brute force protection ;)

[hirokomatsui]

One of our collaborator will ssh to the server from, 129.67.44.* Is hosts.allow only the file have to be edit?

[tatarsky]

Yep but it requires a slightly different pattern syntax.

I've made this next item above on fl-hn2 if you want it elsewhere up to you!

sshd: 129.67.44.0/255.255.255.0 : ALLOW

Have them test to confirm though...

[hirokomatsui]

OK. Just for the future, did you have to restart any service? I'm creating their user account.

[tatarsky]

Nope! /etc/hosts.allow is read on EACH connection to sshd. So by merely adding a line like I did you enable it. Just always double check the syntax before you logout in case there is an error or the last correct line wins!

[hirokomatsui]

I made an user account, will. When I sftp to flh2 as will, I logged in at / (root directory). Is there anything wrong I did? I'm emailing you his password.

[tatarsky]

Hmm. Looking.

[tatarsky]

See email. Subtle one. All set though!

[hirokomatsui]

Great, thanks!

[hirokomatsui]

Can we open ssh connection on flh2 to everyone temporarily? Should I just modify the file /etc/hosts.allow as sshd : ALL : ALLOW

We're asking collaborators to gather the data which we've lost. Some of them don't know their out-going IP.

[tatarsky]

Yeah thats fine. You do not need to restart SSH when you modify /etc/hosts.allow. It takes effect next connection.

[hirokomatsui]

How to force puppet? I just created a user account marc on flh1, and am waiting if marc can log on flh2.

[tatarsky]

puppet agent -tv

[tatarsky]

I did it for you...

[tatarsky]

Is marc a sftp chroot account? As he's not in /etc/ssh/sshd_config....

[hirokomatsui]

I've added on flh1. That is not on fhl2 yet. But /etc/password on flh2 was updated already.

[hirokomatsui]

Oh, I guess /etc/ssh/sshd_config is not shared between flh1 and 2.

[tatarsky]

Nope.

[hirokomatsui]

I added marc in sshd_config on flh2, but he still cannot log on: $ sftp marc@flh2.ucsd.edu:/upload ssh: connect to host flh2.ucsd.edu port 22: Connection refused Couldn't read packet: Connection reset by peer

[tatarsky]

You didn't change the /etc/hosts.allow

sshd : ALL : DENY

[hirokomatsui]

No, but I'm trying to connect from on campus first.

[hirokomatsui]

He can log on to flh1 though: $ sftp marc@flh1.ucsd.edu:/upload marc@flh1.ucsd.edu's password: Connected to flh1.ucsd.edu. Changing to: /upload

[tatarsky]

He failed a few times and so fail2ban blocking.

27 2812 REJECT all -- 169.228.63.210 0.0.0.0/0 reject-with icmp-port-unreachable

I'll clear it in a minute.

[tatarsky]

Try again.

[hirokomatsui]

It behaves different now: $ sftp marc@flh2.ucsd.edu:/upload marc@flh2.ucsd.edu's password: Permission denied, please try again. marc@flh2.ucsd.edu's password: Permission denied, please try again. marc@flh2.ucsd.edu's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). Couldn't read packet: Connection reset by peer

[tatarsky]

Jun 9 12:56:37 fl-hn2 sshd[22739]: Failed password for invalid user marc from 169.228.63.210 port 38520 ssh2 Jun 9 12:56:40 fl-hn2 sshd[22739]: Failed password for invalid user marc from 169.228.63.210 port 38520 ssh2 Jun 9 12:56:43 fl-hn2 sshd[22739]: Failed password for invalid user marc from 169.228.63.210 port 38520 ssh2

[hirokomatsui]

His password is hYVvhxvzVf in the case.

[tatarsky]

Did you restart sshd?

[hirokomatsui]

Yes. I see this now again: $ sftp marc@flh2.ucsd.edu:/upload ssh: connect to host flh2.ucsd.edu port 22: Connection refused Couldn't read packet: Connection reset by peer

[tatarsky]

Thats fail2ban again. I do not show the password as correct.

[tatarsky]

One moment. I'm going to reset it.

[tatarsky]

Something odd going on. Looking closer. But please have them hold attempts.

[hirokomatsui]

OK, thanks!

[tatarsky]

I still have fl-hn2 in restricted login mode from the drive work.

One moment while I clean that up.

Jun 9 13:12:29 fl-hn2 sshd[26407]: User marc from xxxxnot allowed because not listed in AllowUsers

[tatarsky]

OK. Cleaned up. Try try again. Fl-hn2 was restricted to you me and matteo. To protect the single drive over there. I've ended that restriction now that its dual.

Fail2ban is also off for a moment to confirm it works.

[hirokomatsui]

He could log in from on campus.

[tatarsky]

Cool. Then if you change that last line of /etc/hosts.allow

sshd : ALL : DENY

To

sshd : ALL : ALLOW

He can from off campus. But tell me as we'll want the brute force protection back on....(fail2ban)

[hirokomatsui]

Worked from off campus. Thanks!

[tatarsky]

OK. I will turn on fail2ban then....