Difference between revisions of "SSH Key Enable/Disable"

From Roaring Penguin
Jump to: navigation, search
Line 1: Line 1:
To allow us to ssh to your remote CanIt system you need to open up access on your firewall to allow us coming
+
==Firewall==
from IP 108.63.66.105 on port 22. To enable our support key, from the command line on the CanIt
+
 
machine enter:
+
To allow Roaring Penguin support staff to ssh to your remote CanIt system you need to open up
 +
access on your firewall such that we can get to your machine on port 22. If you do this through
 +
the forwarding of an alternative port, please let Roaring Penguin staff know this port number
 +
each and every time you make a new support request.
 +
 
 +
You can limit this access to our IPs. Currently the primary IP address that we will come from
 +
is <b>108.63.66.105</b>. If this link is down, we also have the a second IP, <b>206.248.171.190
 +
</b> which may also be used.
 +
 
 +
Once connected to one machine, we should be able to hop from there to any other CanIt machine in
 +
a clustered scenario, so you should not have to set up SSH to each individual node.
 +
 
 +
==Support Key==
 +
 
 +
CanIt appliances will automatically install and enable our support SSH key. If you have disabled
 +
that key previously or simply want to ensure that it is enabled before submitting a request, you
 +
can do so by running the following from the command line on the CanIt machine:
  
 
     /usr/share/canit/scripts/canit-service-key --enable
 
     /usr/share/canit/scripts/canit-service-key --enable
  
When we are finished you can disable access with:
+
When we are finished you can feel free to disable access with:
  
 
     /usr/share/canit/scripts/canit-service-key --disable
 
     /usr/share/canit/scripts/canit-service-key --disable
 +
 +
It can save a lot of time if the keys are disabled prior to the request, so you may want to
 +
leave them enabled at all times. If this access is limited to only our IPs then this is
 +
generally safe, but you can feel free to abide by whatever policies are required for your
 +
organization.
 +
 +
===Note about Password Authentication===
 +
 +
Since Debian 8 (Jessie), [[SSH_Login#SSH_in_Debian_Jessie_.288.29_and_Above | password
 +
authentication to the 'root' account via SSH is prohibited]]. This means that the only way to
 +
access that account is by way of private key authentication. If you are running Jessie or
 +
newer, you should be generally safe to leave SSH access open whether or not our key is enabled.
  
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
[[category:All]][[category:Security]][[category:Management]]
 
[[category:All]][[category:Security]][[category:Management]]

Revision as of 10:54, 30 July 2018

Firewall

To allow Roaring Penguin support staff to ssh to your remote CanIt system you need to open up access on your firewall such that we can get to your machine on port 22. If you do this through the forwarding of an alternative port, please let Roaring Penguin staff know this port number each and every time you make a new support request.

You can limit this access to our IPs. Currently the primary IP address that we will come from is 108.63.66.105. If this link is down, we also have the a second IP, 206.248.171.190 which may also be used.

Once connected to one machine, we should be able to hop from there to any other CanIt machine in a clustered scenario, so you should not have to set up SSH to each individual node.

Support Key

CanIt appliances will automatically install and enable our support SSH key. If you have disabled that key previously or simply want to ensure that it is enabled before submitting a request, you can do so by running the following from the command line on the CanIt machine:

   /usr/share/canit/scripts/canit-service-key --enable

When we are finished you can feel free to disable access with:

   /usr/share/canit/scripts/canit-service-key --disable

It can save a lot of time if the keys are disabled prior to the request, so you may want to leave them enabled at all times. If this access is limited to only our IPs then this is generally safe, but you can feel free to abide by whatever policies are required for your organization.

Note about Password Authentication

Since Debian 8 (Jessie), password authentication to the 'root' account via SSH is prohibited. This means that the only way to access that account is by way of private key authentication. If you are running Jessie or newer, you should be generally safe to leave SSH access open whether or not our key is enabled.