• Maths CO Docs
• Private
• Public
• Introduction: Use of this documentation

lapserv-ssh (lapserv.maths)

Laptop Network Service documentation (lapserv, lapnet).

• Introduction
• Preparation
• Mechanism
• Installation
  • install rpm
  • add_ssh-keys
  • testing
• Make it all live
• Removal from a host

Introduction

This document is about the setup being used on lapserv machines to run a different sshd as lapserv.maths.cam.ac.uk

Preparation

A fairly trivial rpm was built (with rpmbuild as usual), sign and insert into our repos (details of that to be written), so that all sl5 machines can get access to it as normal via yum.

We built an rpm simply so we can make use of the rpm scripts and triggers mechanism - to cause the service to be restarted if the package itself (for the config say), or openssh is updated etc.

The rpm is a noarch rpm and contains just two files, an init script and the modified sshd_config we use. It requires that a host-specific config file and the (dedicated) ssh-keys be installed on each machine which may run the service.

Mechanism

Just like the setup for ssh.damtp we arrange to run a second sshd on each host running as the service-name(s), listening on the extra IP address we set up for it.

Because the lapserv setup is somewhat different (in terms of networking) than most sl5 machines there are a few differences in the low-level details (and implementation).

• The extra IP address is brought up when lapserv is started in active mode. The scripts here don't need to do that.
• this mechanism assumes that the (modified) iptables setup is already done by the lapserv startup - so this code doesn't need to tweak any rules.

Installation

install rpm

On the machine, log in become root; to refresh the yum cache of repo-data:

 yum makecache

install the rpm:

 yum install sshd-virt-lapserv

add ssh-keys

To make it live we need to first copy over the ssh keys.

Installing the shared ssh keys:

 cd /etc/lapserv/ssh
 rsync cauliflower:/opt/ssh-secrets/Virtual/ssh-lapserv.tar ./ssh-lapserv.tar
 tar -xpf ssh-lapserv.tar

testing

Then check it starts up ok with:

 service sshd-virt-lapserv start

If all is ok you just get a short delay and a normal startup message like:

 # service sshd-virt-lapserv start
 Starting sshd [lapserv]                                    [  OK  ]

now we can check that it is running ok:

 # service sshd-virt-lapserv status
 Status of sshd sl5-ssh: sshd [sl5-ssh] is running (20288)

Finally check that the chkconfig entry was added ok by the rpm %post, and if so reboot just to double-check that all comes up as expected.

 # chkconfig --list sshd-virt-lapserv
 sshd-virt-lapserv       0:off   1:off   2:off   3:on    4:on    5:on    6:off

Removal

In the unlikely event of removing it from a machine, just remove the package. That will cleanly shut down the service. e.g. run as root:

 yum remove sshd-virt-lapserv

Note that with this setup it is quite safe to have multiple copies of this running on the live and any standby lapserv machines, since the lapserv IP address is only brought up on the active (live) server, so while the extra sshd is running on the standby machines they don't intefere at all.