Open jialincheoh opened 2 years ago
List of Key People
Vineet
Manthan
Satyam
Shatayu
Jia
@smukherjee0305 @sbrunswi @jialincheoh There are two goals: Goal 1: Replace password with ssh keys (complete!) Goal 2: Give an alias to the ip address. (pending)
For Goal 1, following steps are required via terminal:
This creates ssh key for your account by pairing the private-public ssh keys with the tower.
For Goal 2, I am following the instructions as given here. So far unable to create an alias. Please try at your end and let me know if you are able to create an alias name(say 'rcodi tower').
@jialincheoh and @vineet-mohanty : I changed the password for Jia on the server since she had lost it. She has now access again. I will look into this tomorrow myself but now you both have access! Key information about how do that is accessible in the basic tutorial for Linux servers.
Again: I do not want that you make further changes yet. that is way to risky. I want that we develop a safe approach where we share with people in encrypted email the following: a markdown with the information: 1) their user name 2) the tower alias, the steps to attach the public key along with the public key in a separate file. This is is not meant to be shared via email but should be shared with file looker please.
I would like to create a collection of entries here in our wiki that allows people to understand such server issues. Thank you.
here is some good resources on redhat site: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/s2-ssh-configuration-keypairs
I would like to create a simple step-by-step instructions so that others like vineet can a go back to it in the future. I also would like to make sure we change passwords for others. I can do that as root if others do not have root rights. I want to make sure we also look into security issues on our tower and install updates of ubuntu
I just downloaded updates:
brunswicker@mukherjee-Precision-Tower-7910:~$ sudo apt-get update
[sudo] password for brunswicker:
Hit:1 http://us.archive.ubuntu.com/ubuntu bionic InRelease
Get:2 http://dl.google.com/linux/chrome/deb stable InRelease [1,811 B]
Get:3 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:4 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Hit:5 http://ppa.launchpad.net/openjdk-r/ppa/ubuntu bionic InRelease
Get:6 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Hit:7 https://packages.microsoft.com/repos/ms-teams stable InRelease
Get:9 https://cloud.r-project.org/bin/linux/ubuntu focal-cran40/ InRelease [3,622 B]
Err:2 http://dl.google.com/linux/chrome/deb stable InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4EB27DB2A3B88B8B
Ign:8 https://cran.utstat.utoronto.ca/bin/linux/ubuntu trusty/ InRelease
Hit:10 https://cran.utstat.utoronto.ca/bin/linux/ubuntu trusty/ Release
Get:11 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 DEP-11 Metadata [297 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 DEP-11 Metadata [302 kB]
Get:13 http://us.archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 DEP-11 Metadata [2,464 B]
Get:14 http://us.archive.ubuntu.com/ubuntu bionic-backports/universe amd64 DEP-11 Metadata [9,272 B]
Get:16 http://security.ubuntu.com/ubuntu bionic-security/main amd64 DEP-11 Metadata [55.1 kB]
Get:17 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 DEP-11 Metadata [61.1 kB]
Get:18 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 DEP-11 Metadata [2,464 B]
Fetched 985 kB in 2s (537 kB/s)
Reading package lists... Done
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://dl.google.com/linux/chrome/deb stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4EB27DB2A3B88B8B
W: Failed to fetch http://dl.google.com/linux/chrome/deb/dists/stable/InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 4EB27DB2A3B88B8B
W: Some index files failed to download. They have been ignored, or old ones used instead.
Looks like keys generate issue!
Here are some general guides for upgrading the system: man apt man apt-get apt --help; man commands are helpful. I upgraded the system (security) and it should now be better.
Creating ssh keys locally with
ssh-keygen
Update key with passphrase
ssh-keygen -p -f ~/.ssh/id_rsa
Copy SSH public key to remote-server and overwrite it.
ssh-copy-id -f sk@192.168.225.22
Type yes and enter the sudo password of the remote system.
Disable Password Based Authentication in Remote System
sudo vi /etc/ssh/sshd_config
PasswordAuthentication no
sudo systemctl restart sshd
Go to the following to apply the aliases for all users
pico /etc/ssh/ssh_config
Inside the file do, [ if you have the key-based authentication ]
Host ubuntu
HostName 128.46.86.105
User jialincheoh
IdentityFIle ~/.ssh/id_rsa_remotesystem
@sbrunswi I suspect that only root user can create aliases.
Please try
sudo nano ~/.bash_profile
alias rcodi='ssh brunswicker@128.46.86.105'
if your username is brunswicker
Then
$ source ~/.bash_profile
Logout and then do rcodi
to see if that logs u into RCODI.
@sbrunswi add the below line to the /etc/hosts
file when u have access to the physical machine, the firewall is blocking the access with aliases.
128.46.86.105 mukherjee-Precision-Tower-7910
See if the above will solve the issue with aliases, if not you will also need the physical machine for this
# firewall-cmd --permanent --add-port=22/tcp
# firewall-cmd --reload
To create ssh keys , @sbrunswi follow my command below
Do
ssh-keygen
if you already have ssh key, do
ssh-keygen -p -f ~/.ssh/id_rsa
then do
ssh-copy-id jialincheoh@128.46.86.105
Screenshot attached for reference, now we just need to fix the aliases for the entire thing to work together with the aliases.
The key based access just successfully worked for me @sbrunswi , call me when you are available and I guide u through it to make it universal for everyone so that we can disable password for everyone.
If we want more fancy way to play with aliases @sbrunswi , we can install
sudo apt-get install avahi-daemon
Since when I checked the file /etc/nsswitch.conf
, we already have something like the following
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
Essentially, what the above is doing is that it's making our workflow more simplistic, logging with will just require let's say
ssh rcodi.local
Your GitHub Profile: \<github/my-username>
Is there anything specific that requires amending?
Is there a specific project you are requesting access to: \<Project Name> / No