HUB: Difference between revisions

From XPUB & Lens-Based wiki
No edit summary
Line 93: Line 93:
</pre>
</pre>


===.ssh/config===
===~/.ssh/config===
Here is a ssh configuration which should allow you to '''ssh easily from your local machine to one of the Hub nodes'''
 
using only:
ssh hub.nodename
 
By adding to ~/.ssh/config the following configuration, and changing with the correct details:


<pre>
<pre>
 
Host hub.nodename
Host hub.bootleglib
User username
User andre
Hostname  10.0.0.XXX
Hostname  10.0.0.XXX
ProxyJump usrtname@xpub.nl:2501
ProxyJump username@xpub.nl:2501
Identityfile /home/andre/.ssh/id_ed25519
Identityfile ~/.ssh/id_rsa
Serveraliveinterval 30
Serveraliveinterval 30
</pre>


</pre>
Where:
* nodename: is the name you would like to give this node of hub.
* XXX: termination if node's IP
* username: your username in the Pi and Xpub server (should be the same)
* ~/.ssh/id_rsa location of the private keys

Revision as of 18:27, 2 December 2019

WAT

HUB or https://hub.xpub.nl is a VPN wonder to gazillions XPUB things.

You will need to:

  • 0. Determine IP address of a new thing (see below)
  • 1. Add a new thing (see below)
  • 2. Ask user to give you preferred username & a new ssh pubkey (see below)
  • 3. Add a new jump user (see below)
  • 3. Jump user connects to his machine (see below)

Adding a new thing

Only gnd or a should do that. Also we will only add things that can only be ssh'ed via keys, no passwd logins plz.

  • On xvm:
tinc -n hub invite ${NODE_NAME}
  • On ${NODE_NAME}:

FIXME

Generating a ssh pubkey for the jump user

This should be done by the users themselves. This only applies to linux-like OS's. Users should be made aware what ssh keys are.

This generates a new key with a default name, so if the user already has an existing key, they should name it differently, so the existing one is not overwritten. The key should be protected by a passphrase.

ssh-keygen -t ed25519 -b 320 

Once the key is generated, we will need the public key (pubkey). Usually it would be a file called id_ed25519.pub located in ~/.ssh. Just cat the file and send us the contents.
♥♥♥ Please be aware there is also a file called id_ed25519. This is the private key. Dont ever send or disclose the private key ! ♥♥♥

cat ~/.ssh/id_ed25519.pub

You can also send id_ed25519.pub as an attachment. If you named your key differently, it will be a file called $NAME.pub

Adding a jump user on XVM

There is a script called add_jumpuser. It adds a new user on XVM, that is only allowed to ssh into the remote machine. You will need:

  • Username for the user
  • IP of the machine (see below for allocation)
  • ED25519 pubkey from the user

Once you have all of this, just run on XVM (note the single quotes around the ssh pubkey):

/root/scripts/add_jumpuser.sh USERNAME IP 'PUBKEY'

eg.:
/root/scripts/add_jumpuser.sh lol 10.0.0.666 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE29EOVCl0/WjknAoEEEZSPUyCWQKNoXX2HCC123456 some1@host'

When removing the user on XVM:

  • userdel -r USERNAME
  • remove USERNAME from AllowUsers in sshd_config
  • restart sshd

IP allocation

  • 1-9: XPUB main servers
  • 10-99: shared machines used by the whole course (for admin or lessons or multi-user projects/libraries/etc)
  • 100-254: personal and/or grad projects machines
Subnet       Node         ???
------       ----         ---
10.0.0.1     xvm          XPUB server, tincd overlord, destroyer of pads
10.0.0.10    skattkista   Borg Central
10.0.0.11    xpub2019     xpub1 sandbox (2019-2020) (Andre root)
10.0.0.100   wizardcity   Aymeric
10.0.0.101   screaming    Angeliki
10.0.0.102   warnet       Tash
10.0.0.???   food         Alice -- misconfigured, lost in ether
10.0.1.103   bootleglib   Simon

Connecting to the machines inside

On the user's personal machine (where the public key was generated) just:

ssh -J xpub.nl:2501 $IP

If for any reason it doesnt work, please send us the output of:

ssh -J xpub.nl:2501 $IP -vvv

~/.ssh/config

Here is a ssh configuration which should allow you to ssh easily from your local machine to one of the Hub nodes

using only:

ssh hub.nodename

By adding to ~/.ssh/config the following configuration, and changing with the correct details:

Host hub.nodename 
User username
Hostname  10.0.0.XXX
ProxyJump username@xpub.nl:2501
Identityfile ~/.ssh/id_rsa
Serveraliveinterval 30

Where:

  • nodename: is the name you would like to give this node of hub.
  • XXX: termination if node's IP
  • username: your username in the Pi and Xpub server (should be the same)
  • ~/.ssh/id_rsa location of the private keys