• Maths CO Docs
• Private
• Public
• Introduction: Use of this documentation

sl5-ssh as ssh.damtp

• Introduction
• Preparation
• Mechanism
• Installation
  • install rpm
  • add_ssh-keys and ipaddr
  • testing
• Make it all live
• Removal from a host

Introduction

This document is about the setup being used on various sl5 machines to run as ssh.damtp.cam.ac.uk, though initially it was tested using the service-name sl5-ssh.damtp.cam.ac.uk and these notes are intended to document some of those early tests too.

The new service running on sl5 systems went live on 2nd October 2007, see News item 1095 for some details.

For more details of servers in DAMTP see the Servers page.

Preparation

A fairly trivial rpm was built (with rpmbuild as usual), sign and insert into our repos (details of that to be written), so that all sl5 machines can get access to it as normal via yum.

We built an rpm simply so we can make use of the rpm scripts and triggers mechanism - to cause the service to be restarted if the package itself (for the config say), or openssh is updated etc.

The rpm is a noarch rpm and contains just two files, an init script and the modified sshd_config we use. It requires that a host-specific config file and the (shared) ssh-keys be installed on each machine running the service.

Allocate some IP addresses using a name like sl5-ssh (during testing at least), add them to the DNS and allocate them to some real machines, e.g.

 131.111.17.249 used on unipod
 131.111.17.250 used on unfair
 131.111.17.251 used on unless
 131.111.17.252 used on unjust
 131.111.17.200 used on unique

Mechanism

Just like the setup on sl30x we arrange to run a second sshd on each host running as the service-name(s), listening on the extra IP address we set up for it.

Because the sl5 sshd is somewhat newer and to avoid needing to change the existing system sshd/sshd_config file there are a few differences in the low-level details (and implementation).

• The extra IP address is only brought up when the extra sshd service is started (by the init script) and is taken away when the service is stopped. This avoids needing to make global changes to the machine setup and may make moving the services to a different host a little quicker.
• The sshd_config used by the extra service is modified to avoid some clashes with the system sshd_config so that it does not need to be modified at all - we can use normal mechanisms for updating the system openssh and it's config files without needing to remember to take special actions on the ssh hosts.
• this mechanism uses iptables so may need to be taken into account if other firewall rules are in use

Installation

install rpm

On each machine, log in become root; to refresh the yum cache of repo-data:

 yum makecache

install the rpm:

 yum install sshd-virt-sl5-ssh

at this point you can check that the new service now exists, e.g.

 $ service sshd-virt-sl5-ssh status
 Status of sshd sl5-ssh: No pidfile found

That error is quite normal since there is no pidfile yet!

add ssh-keys and ipaddr

To make it live we need to first copy over the ssh keys and then tell it the IP address and device to use.

Installing the shared ssh keys:

 cd /etc/sshd-virt-sl5-ssh/
 rsync cauliflower:/opt/ssh-secrets/Virtual/ssh-sl5-ssh.tar ./ssh-sl5-ssh.tar
 tar -xpf ssh-sl5-ssh.tar

Specifying the IP address for this host to use:

 printf "# select this address for $(hostname)\nIPADDR=131.111.17.249\nDEV=eth0\nSSHPORTS='22 443'\n" > ipaddr

testing

Then check it starts up ok with:

 service sshd-virt-sl5-ssh start

That startup script does brief checks that the address isn't already being used by something else, if it is (e.g. due to a typo/accident), you will get a message something like:

 $ service sshd-virt-sl5-ssh start 
 ARPING 131.111.17.249 from 0.0.0.0 eth0                    [FAILED]
 Unicast reply from 131.111.17.249 [......] for 131.111.17.249 [......] 0.692ms
 Sent 1 probes (1 broadcast(s))
 Received 1 response(s)

If all is ok you just get a short delay and a normal startup message like:

 $ service sshd-virt-sl5-ssh start
 Starting sshd [sl5-ssh]                                    [  OK  ]

now we can check that it is running ok:

 $ service sshd-virt-sl5-ssh status
 Status of sshd sl5-ssh: sshd [sl5-ssh] is running (20288)

Finally check that the chkconfig entry was added ok by the rpm %post, and if so reboot just to double-check that all comes up as expected.

 $ chkconfig --list sshd-virt-sl5-ssh
 sshd-virt-sl5-ssh       0:off   1:off   2:off   3:on    4:on    5:on    6:off
 $
 $ reboot

Repeat for each of the other hosts running the service.

Make it all live

Once we were happy with the service running on those hosts, we arranged to update the DNS for ssh.damtp to point at the new hosts (a CNAME RR will do), update the MakeSSHVirt code and run it and MakeKnownHosts to re-generate the ssh_known_hosts files ready to be pushed to all (local) machines overnight, then re-ran (as http) the /opt/httpd/sbin/ssh-fingerprints.sh script to rebuild the published fingerp.html and knownh.reg files.

Checked that the entries looked ok in all those files.

Removal from a host

To remove the setup from a given host, just remove the package. That will cleanly shut down the service first (and take away the extra IP address), e.g. run as root:

 yum remove sshd-virt-sl5-ssh

Then one can simply put the service with that IP address on another host by following the instructions above.

One should also clean up the files in /etc/sshd-virt-sl5-ssh/ (the ssh-keys and ipaddr file) so they won't get picked up if the package is later re-installed.