Maltfield Log/2021 Q3

From Open Source Ecology
Jump to: navigation, search

My work log from the year 2021 Quarter 2. I intentionally made this verbose to make future admin's work easier when troubleshooting. The more keywords, error messages, etc that are listed in this log, the more helpful it will be for the future OSE Sysadmin.

See Also

  1. Maltfield_Log
  2. User:Maltfield
  3. Special:Contributions/Maltfield

Fri August 06, 2021

  1. jthomas is still having issues ssh'ing into the server. I think I may have fixed it by changing the ownership of the .ssh dir from 0755 to 0700 per our actual documentation https://wiki.opensourceecology.org/wiki/OSE_Server#SSH
[root@opensourceecology log]# ls -lah /home/jthomas/.ssh
total 12K
drwxr-xr-x 2 jthomas jthomas 4.0K Jul  8 16:39 .
drwx------ 3 jthomas jthomas 4.0K Jul  8 16:38 ..
-rw-r--r-- 1 jthomas jthomas  717 Jul  8 16:39 authorized_keys
[root@opensourceecology log]# 
[root@opensourceecology log]# 
[root@opensourceecology log]# 
[root@opensourceecology log]# chmod 700 /home/jthomas/.ssh
[root@opensourceecology log]# ls -lah /home/jthomas/.ssh
total 12K
drwx------ 2 jthomas jthomas 4.0K Jul  8 16:39 .
drwx------ 3 jthomas jthomas 4.0K Jul  8 16:38 ..
-rw-r--r-- 1 jthomas jthomas  717 Jul  8 16:39 authorized_keys
[root@opensourceecology log]# 
    1. I've had this issue before since my own personal dir is 0755, and I usually just copy that as a template. Not sure why it always works for me as 0755 but not others..
  1. Today I finally re-logged-into the ose dev server since Marcin gave me access to the hetzner cloud panel again
user@ose:~$ ssh -p32415 maltfield@195.201.233.113
The authenticity of host '[195.201.233.113]:32415 ([195.201.233.113]:32415)' can't be established.
ECDSA key fingerprint is SHA256:U99nmyy5WJZMQ6qQL7vofldQJcpztHzCEzO6OuHuLd4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[195.201.233.113]:32415' (ECDSA) to the list of known hosts.
Last login: Sun Sep 27 12:14:02 2020 from 110.44.127.170
[maltfield@osedev1 ~]$ 
  1. And I setup the .ssh/config file to simplify this in the future
user@ose:~$ cat ~/.ssh/config 
# OSE
Host openbuildinginstitute.org *.openbuildinginstitute.org opensourceecology.org *.opensourceecology.org
	Port 32415
	ForwardAgent yes
	IdentityFile /home/user/.ssh/identities/ose/id_rsa.ose
	User maltfield
Host osedev1
	Hostname 195.201.233.113
	Port 32415
	ForwardAgent yes
	IdentityFile /home/user/.ssh/identities/ose/id_rsa.ose
	User maltfield
user@ose:~$ 

user@ose:~$ ssh osedev1
Last login: Fri Aug  6 11:51:06 2021 from x4dbf0f28.dyn.telefonica.de
[maltfield@osedev1 ~]$ 
  1. I scp'd Joshua's CSR to the dev server, created his user, imported his cert, and signed it
[root@osedev1 3]# ./easyrsa sign-req client jthomas

Using SSL: openssl OpenSSL 1.0.2k-fips  26 Jan 2017


You are about to sign the following certificate.
Please check over the details shown below for accuracy. Note that this request
has not been cryptographically verified. Please be sure it came from a trusted
source or that you have verified the request checksum with the sender.

Request subject, to be signed as a client certificate for 1080 days:

subject=
	countryName               = US
	stateOrProvinceName       = NV
	localityName              = Henderson
	organizationName          = Order of the Oracle LLC
	organizationalUnitName    = Sys Admin
	commonName                = Joshua Thomas
	emailAddress              = joshua.thomas@ooto.technology


Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes
Using configuration from /usr/share/easy-rsa/3/pki/safessl-easyrsa.cnf
Enter pass phrase for /usr/share/easy-rsa/3/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :ASN.1 12:'NV'
localityName          :ASN.1 12:'Henderson'
organizationName      :ASN.1 12:'Order of the Oracle LLC'
organizationalUnitName:ASN.1 12:'Sys Admin'
commonName            :ASN.1 12:'Joshua Thomas'
emailAddress          :IA5STRING:'joshua.thomas@ooto.technology'
Certificate is to be certified until Jul 21 10:30:43 2024 GMT (1080 days)

Write out database with 1 new entries
Data Base Updated

Certificate created at: /usr/share/easy-rsa/3/pki/issued/jthomas.crt

[root@osedev1 3]# 
  1. And I prepared their openvpn config
[root@osedev1 jthomas]# tar -czvf openvpn.tar.gz openvpn/
openvpn/
openvpn/ta.key
openvpn/client.conf
openvpn/ca.crt
openvpn/jthomas.csr
openvpn/jthomas.crt
openvpn/username.txt
[root@osedev1 jthomas]# 

[root@osedev1 jthomas]# pwd
/home/jthomas
[root@osedev1 jthomas]# du -sh *
32K	openvpn
8.0K	openvpn.tar.gz
[root@osedev1 jthomas]# 
  1. I sent Joshua an email asking them to scp the config down from the dev server; then we'll confirm access to the staging environment

Thr July 08, 2021

  1. Marcin approved granting root access to our server for Joshua Thomas, an OSE apprentice
Michael,

Yes, I authorize root access for Joshua Thomas to OSE infrastructure. He is
here for the next 6 months and I like how he works as a team player. He is
also resourceful. There are also risks involved, which I appreciate and I
would not give Joshua access unless there is a certain minimum of skill and
trust involved. Since he is performing well, I conclude that we would be
able to manage these risks successfully in cases of any breakdown. I do not
see much risk with finishing Discourse because from what I can tell, you
already did most of the work successfully.

Please communicate with him and cc me for the next steps.

Thanks,
Marcin

On Mon, Jul 5, 2021 at 10:46 AM Michael Altfield <
michael@opensourceecology.org> wrote:

> Hey Marcin,
>
> After reviewing Joshua's CV, I see that they don't have a lot of Linux
> System Administration experience.
>
> It looks like they did install NextCloud on an Ubuntu service sometime
> in the past few years, but the rest of their experience is software
> development or Microsoft Admin or DB or telephony-related administration.
>
> The benefit of granting them access is that they can do tasks for you
> like setting-up Discourse.
>
> The risk of granting them access is that they break the server, and I
> don't have time to restore it from backup (which is a very, very long &
> involved process).
>
> Ultimately it's your choice: Do you authorize me granting Joshua Thomas
> root access to all of OSE's infrastructure?
>
>
> Cheers,
>
> Michael Altfield
> Senior Technology Advisor
> PGP Fingerprint: 8A4B 0AF8 162F 3B6A 79B7  70D2 AA3E DF71 60E2 D97B
>
> Open Source Ecology
> www.opensourceecology.org
  1. I created a user, set his password to a random 100 char string, added his ssh key, and added him to the sshaccess & wheel groups
useradd jthomas
passwd jthomas
gpasswd -a jthomas sshaccess
cd /home/jthomas/
mkdir .ssh
vim .ssh/authorized_keys
chown -R jthomas:jthomas .ssh
chmod 0700 .ssh
chmod 0644 .ssh/authorized_keys 
gpasswd -a jthomas wheel
  1. I sent Joshua an email asking him to signup for wire and send me his username so I can send him his temp password
  2. I sent Joshua an email asking him to generate an OSE-specific 4096-bit RSA keypair and send me & Marcin his public key
  3. I sent Joshua an email asking him to confirm ssh access
  4. I sent Joshua an email with a list of 12 wiki articles for ramp-up reading
 1. https://wiki.opensourceecology.org/wiki/OSE_Server
 2. https://wiki.opensourceecology.org/wiki/OSE_Development_Server
 3. https://wiki.opensourceecology.org/wiki/OSE_Staging_Server
 4. https://wiki.opensourceecology.org/wiki/Web_server_configuration
 5. https://wiki.opensourceecology.org/wiki/Wordpress
 6. https://wiki.opensourceecology.org/wiki/Mediawiki
 7. https://wiki.opensourceecology.org/wiki/Munin
 8. https://wiki.opensourceecology.org/wiki/Awstats
 9. https://wiki.opensourceecology.org/wiki/Ossec
10. https://wiki.opensourceecology.org/wiki/VPN
11. https://wiki.opensourceecology.org/wiki/OpenVPN
12. https://wiki.opensourceecology.org/wiki/2FA
  1. I sent Joshua an email asking him to signup for a hetzner account so that Marcin can grant him access to our cloud server (it looks like my account was disabled; iirc Hetzner couldn't confirm my identity and they ended-up locking me out of my account)