SSH Key Enable/Disable

From Roaring Penguin
Revision as of 11:54, 30 July 2018 by JohnMertz (talk | contribs)

Jump to: navigation, search

Firewall

To allow Roaring Penguin support staff to ssh to your remote CanIt system you need to open up access on your firewall such that we can get to your machine on port 22. If you do this through the forwarding of an alternative port, please let Roaring Penguin staff know this port number each and every time you make a new support request.

You can limit this access to our IPs. Currently the primary IP address that we will come from is 108.63.66.105. If this link is down, we also have the a second IP, 206.248.171.190 which may also be used.

Once connected to one machine, we should be able to hop from there to any other CanIt machine in a clustered scenario, so you should not have to set up SSH to each individual node.

Support Key

CanIt appliances will automatically install and enable our support SSH key. If you have disabled that key previously or simply want to ensure that it is enabled before submitting a request, you can do so by running the following from the command line on the CanIt machine:

   /usr/share/canit/scripts/canit-service-key --enable

When we are finished you can feel free to disable access with:

   /usr/share/canit/scripts/canit-service-key --disable

It can save a lot of time if the keys are disabled prior to the request, so you may want to leave them enabled at all times. If this access is limited to only our IPs then this is generally safe, but you can feel free to abide by whatever policies are required for your organization.

Note about Password Authentication

Since Debian 8 (Jessie), password authentication to the 'root' account via SSH is prohibited. This means that the only way to access that account is by way of private key authentication. If you are running Jessie or newer, you should be generally safe to leave SSH access open whether or not our key is enabled.