Difference between revisions of "SSH Key Enable/Disable"

From Roaring Penguin
Jump to: navigation, search
m (Firewall)
Line 19: Line 19:
  
 
CanIt appliances will automatically install and enable our support SSH key. If you have disabled
 
CanIt appliances will automatically install and enable our support SSH key. If you have disabled
that key previously or simply want to ensure that it is enabled before submitting a request, you
+
that key previously, or simply want to ensure that it is enabled before submitting a request, you
 
can do so by running the following from the command line on the CanIt machine:
 
can do so by running the following from the command line on the CanIt machine:
  
 
     /usr/share/canit/scripts/canit-service-key --enable
 
     /usr/share/canit/scripts/canit-service-key --enable
  
When we are finished you can feel free to disable access with:
+
When we have finished you can disable access with:
  
 
     /usr/share/canit/scripts/canit-service-key --disable
 
     /usr/share/canit/scripts/canit-service-key --disable
  
It can save a lot of time if the keys are disabled prior to the request, so you may want to  
+
It can save a lot of time if the keys are enabled prior to a support request, so you may want to  
 
leave them enabled at all times. If this access is limited to only our IPs then this is  
 
leave them enabled at all times. If this access is limited to only our IPs then this is  
 
generally safe, but you can feel free to abide by whatever policies are required for your  
 
generally safe, but you can feel free to abide by whatever policies are required for your  
 
organization.
 
organization.
 
===Note about Password Authentication===
 
 
Since Debian 8 (Jessie), [[SSH_Login#SSH_in_Debian_Jessie_.288.29_and_Above | password
 
authentication to the 'root' account via SSH is prohibited]]. This means that the only way to
 
access that account is by way of private key authentication. If you are running Jessie or
 
newer, you should be generally safe to leave SSH access open whether or not our key is enabled.
 
  
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
<div style="float:right; clear:both; margin-right:0.5em">[[Support Wiki | [Home]]]</div>
 
[[category:All]][[category:Security]][[category:Management]]
 
[[category:All]][[category:Security]][[category:Management]]

Revision as of 11:03, 19 September 2018

Firewall

To allow Roaring Penguin support staff to ssh to your remote CanIt system, you need to open up access on your firewall such that we can get to your machine on port 22. If you do this through the forwarding of an alternative port, please let Roaring Penguin staff know this port number each and every time you make a new support request.

You can limit this access to our IPs. Currently we use these three IP addresses:

  • 72.137.191.171
  • 108.63.66.105
  • 206.248.171.190

The third is expected to be discontinued, but we will keep this wiki up to date.

Once connected to one machine, we should be able to hop from there to any other CanIt machine in a clustered scenario, so you should not have to set up SSH to each individual node.

Support Key

CanIt appliances will automatically install and enable our support SSH key. If you have disabled that key previously, or simply want to ensure that it is enabled before submitting a request, you can do so by running the following from the command line on the CanIt machine:

   /usr/share/canit/scripts/canit-service-key --enable

When we have finished you can disable access with:

   /usr/share/canit/scripts/canit-service-key --disable

It can save a lot of time if the keys are enabled prior to a support request, so you may want to leave them enabled at all times. If this access is limited to only our IPs then this is generally safe, but you can feel free to abide by whatever policies are required for your organization.