Maltfield Log/2021 Q3
My work log from the year 2021 Quarter 2. I intentionally made this verbose to make future admin's work easier when troubleshooting. The more keywords, error messages, etc that are listed in this log, the more helpful it will be for the future OSE Sysadmin.
See Also
Fri August 06, 2021
- jthomas is still having issues ssh'ing into the server. I think I may have fixed it by changing the ownership of the .ssh dir from 0755 to 0700 per our actual documentation https://wiki.opensourceecology.org/wiki/OSE_Server#SSH
[root@opensourceecology log]# ls -lah /home/jthomas/.ssh total 12K drwxr-xr-x 2 jthomas jthomas 4.0K Jul 8 16:39 . drwx------ 3 jthomas jthomas 4.0K Jul 8 16:38 .. -rw-r--r-- 1 jthomas jthomas 717 Jul 8 16:39 authorized_keys [root@opensourceecology log]# [root@opensourceecology log]# [root@opensourceecology log]# [root@opensourceecology log]# chmod 700 /home/jthomas/.ssh [root@opensourceecology log]# ls -lah /home/jthomas/.ssh total 12K drwx------ 2 jthomas jthomas 4.0K Jul 8 16:39 . drwx------ 3 jthomas jthomas 4.0K Jul 8 16:38 .. -rw-r--r-- 1 jthomas jthomas 717 Jul 8 16:39 authorized_keys [root@opensourceecology log]#
- I've had this issue before since my own personal dir is 0755, and I usually just copy that as a template. Not sure why it always works for me as 0755 but not others..
- Today I finally re-logged-into the ose dev server since Marcin gave me access to the hetzner cloud panel again
user@ose:~$ ssh -p32415 maltfield@195.201.233.113 The authenticity of host '[195.201.233.113]:32415 ([195.201.233.113]:32415)' can't be established. ECDSA key fingerprint is SHA256:U99nmyy5WJZMQ6qQL7vofldQJcpztHzCEzO6OuHuLd4. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '[195.201.233.113]:32415' (ECDSA) to the list of known hosts. Last login: Sun Sep 27 12:14:02 2020 from 110.44.127.170 [maltfield@osedev1 ~]$
- And I setup the .ssh/config file to simplify this in the future
user@ose:~$ cat ~/.ssh/config # OSE Host openbuildinginstitute.org *.openbuildinginstitute.org opensourceecology.org *.opensourceecology.org Port 32415 ForwardAgent yes IdentityFile /home/user/.ssh/identities/ose/id_rsa.ose User maltfield Host osedev1 Hostname 195.201.233.113 Port 32415 ForwardAgent yes IdentityFile /home/user/.ssh/identities/ose/id_rsa.ose User maltfield user@ose:~$ user@ose:~$ ssh osedev1 Last login: Fri Aug 6 11:51:06 2021 from x4dbf0f28.dyn.telefonica.de [maltfield@osedev1 ~]$
- I scp'd Joshua's CSR to the dev server, created his user, imported his cert, and signed it
[root@osedev1 3]# ./easyrsa sign-req client jthomas Using SSL: openssl OpenSSL 1.0.2k-fips 26 Jan 2017 You are about to sign the following certificate. Please check over the details shown below for accuracy. Note that this request has not been cryptographically verified. Please be sure it came from a trusted source or that you have verified the request checksum with the sender. Request subject, to be signed as a client certificate for 1080 days: subject= countryName = US stateOrProvinceName = NV localityName = Henderson organizationName = Order of the Oracle LLC organizationalUnitName = Sys Admin commonName = Joshua Thomas emailAddress = joshua.thomas@ooto.technology Type the word 'yes' to continue, or any other input to abort. Confirm request details: yes Using configuration from /usr/share/easy-rsa/3/pki/safessl-easyrsa.cnf Enter pass phrase for /usr/share/easy-rsa/3/pki/private/ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :ASN.1 12:'NV' localityName :ASN.1 12:'Henderson' organizationName :ASN.1 12:'Order of the Oracle LLC' organizationalUnitName:ASN.1 12:'Sys Admin' commonName :ASN.1 12:'Joshua Thomas' emailAddress :IA5STRING:'joshua.thomas@ooto.technology' Certificate is to be certified until Jul 21 10:30:43 2024 GMT (1080 days) Write out database with 1 new entries Data Base Updated Certificate created at: /usr/share/easy-rsa/3/pki/issued/jthomas.crt [root@osedev1 3]#
- And I prepared their openvpn config
[root@osedev1 jthomas]# tar -czvf openvpn.tar.gz openvpn/ openvpn/ openvpn/ta.key openvpn/client.conf openvpn/ca.crt openvpn/jthomas.csr openvpn/jthomas.crt openvpn/username.txt [root@osedev1 jthomas]# [root@osedev1 jthomas]# pwd /home/jthomas [root@osedev1 jthomas]# du -sh * 32K openvpn 8.0K openvpn.tar.gz [root@osedev1 jthomas]#
- I sent Joshua an email asking them to scp the config down from the dev server; then we'll confirm access to the staging environment
Thr July 08, 2021
- Marcin approved granting root access to our server for Joshua Thomas, an OSE apprentice
Michael, Yes, I authorize root access for Joshua Thomas to OSE infrastructure. He is here for the next 6 months and I like how he works as a team player. He is also resourceful. There are also risks involved, which I appreciate and I would not give Joshua access unless there is a certain minimum of skill and trust involved. Since he is performing well, I conclude that we would be able to manage these risks successfully in cases of any breakdown. I do not see much risk with finishing Discourse because from what I can tell, you already did most of the work successfully. Please communicate with him and cc me for the next steps. Thanks, Marcin On Mon, Jul 5, 2021 at 10:46 AM Michael Altfield < michael@opensourceecology.org> wrote: > Hey Marcin, > > After reviewing Joshua's CV, I see that they don't have a lot of Linux > System Administration experience. > > It looks like they did install NextCloud on an Ubuntu service sometime > in the past few years, but the rest of their experience is software > development or Microsoft Admin or DB or telephony-related administration. > > The benefit of granting them access is that they can do tasks for you > like setting-up Discourse. > > The risk of granting them access is that they break the server, and I > don't have time to restore it from backup (which is a very, very long & > involved process). > > Ultimately it's your choice: Do you authorize me granting Joshua Thomas > root access to all of OSE's infrastructure? > > > Cheers, > > Michael Altfield > Senior Technology Advisor > PGP Fingerprint: 8A4B 0AF8 162F 3B6A 79B7 70D2 AA3E DF71 60E2 D97B > > Open Source Ecology > www.opensourceecology.org
- I created a user, set his password to a random 100 char string, added his ssh key, and added him to the sshaccess & wheel groups
useradd jthomas passwd jthomas gpasswd -a jthomas sshaccess cd /home/jthomas/ mkdir .ssh vim .ssh/authorized_keys chown -R jthomas:jthomas .ssh chmod 0700 .ssh chmod 0644 .ssh/authorized_keys gpasswd -a jthomas wheel
- I sent Joshua an email asking him to signup for wire and send me his username so I can send him his temp password
- I sent Joshua an email asking him to generate an OSE-specific 4096-bit RSA keypair and send me & Marcin his public key
- I sent Joshua an email asking him to confirm ssh access
- I sent Joshua an email with a list of 12 wiki articles for ramp-up reading
1. https://wiki.opensourceecology.org/wiki/OSE_Server 2. https://wiki.opensourceecology.org/wiki/OSE_Development_Server 3. https://wiki.opensourceecology.org/wiki/OSE_Staging_Server 4. https://wiki.opensourceecology.org/wiki/Web_server_configuration 5. https://wiki.opensourceecology.org/wiki/Wordpress 6. https://wiki.opensourceecology.org/wiki/Mediawiki 7. https://wiki.opensourceecology.org/wiki/Munin 8. https://wiki.opensourceecology.org/wiki/Awstats 9. https://wiki.opensourceecology.org/wiki/Ossec 10. https://wiki.opensourceecology.org/wiki/VPN 11. https://wiki.opensourceecology.org/wiki/OpenVPN 12. https://wiki.opensourceecology.org/wiki/2FA
- I sent Joshua an email asking him to signup for a hetzner account so that Marcin can grant him access to our cloud server (it looks like my account was disabled; iirc Hetzner couldn't confirm my identity and they ended-up locking me out of my account)