Difference between revisions of "SSH Key Enable/Disable"

From Roaring Penguin
Jump to: navigation, search
Line 6: Line 6:
 
each and every time you make a new support request.
 
each and every time you make a new support request.
  
You can limit this access to our IPs. Currently the primary IP address that we will come from
+
You can limit this access to our IPs. Currently we use these three IP addresses:
is <b>108.63.66.105</b>. If this link is down, we also have the a second IP, <b>206.248.171.190
+
*72.137.191.171
</b> which may also be used.
+
*108.63.66.105
 +
*206.248.171.190
 +
 
 +
The third is expected to be discontinued, but we will keep this wiki up to date.
  
 
Once connected to one machine, we should be able to hop from there to any other CanIt machine in
 
Once connected to one machine, we should be able to hop from there to any other CanIt machine in

Revision as of 08:18, 31 July 2018

Firewall

To allow Roaring Penguin support staff to ssh to your remote CanIt system you need to open up access on your firewall such that we can get to your machine on port 22. If you do this through the forwarding of an alternative port, please let Roaring Penguin staff know this port number each and every time you make a new support request.

You can limit this access to our IPs. Currently we use these three IP addresses:

  • 72.137.191.171
  • 108.63.66.105
  • 206.248.171.190

The third is expected to be discontinued, but we will keep this wiki up to date.

Once connected to one machine, we should be able to hop from there to any other CanIt machine in a clustered scenario, so you should not have to set up SSH to each individual node.

Support Key

CanIt appliances will automatically install and enable our support SSH key. If you have disabled that key previously or simply want to ensure that it is enabled before submitting a request, you can do so by running the following from the command line on the CanIt machine:

   /usr/share/canit/scripts/canit-service-key --enable

When we are finished you can feel free to disable access with:

   /usr/share/canit/scripts/canit-service-key --disable

It can save a lot of time if the keys are disabled prior to the request, so you may want to leave them enabled at all times. If this access is limited to only our IPs then this is generally safe, but you can feel free to abide by whatever policies are required for your organization.

Note about Password Authentication

Since Debian 8 (Jessie), password authentication to the 'root' account via SSH is prohibited. This means that the only way to access that account is by way of private key authentication. If you are running Jessie or newer, you should be generally safe to leave SSH access open whether or not our key is enabled.