Opened 2 years ago

Last modified 20 months ago

#79 new task

Create accounts for Matthew

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: backups Version:
Keywords: Cc: matthew
Estimated Number of Hours: 0 Add Hours to Ticket: 0
Billable?: yes Total Hours: 9.5

Description (last modified by chris)

Create Trac and other accounts for Matthew.

Change History (15)

comment:1 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.25
  • Cc matthew added
  • Total Hours set to 0.25

Following wiki:Trac#CreateanTracaccount

sudo -i
su - trac -s /bin/bash
export NEWUSER="matthew"
htdigest .htpasswd trac $NEWUSER
trac-admin /var/www/trac permission add $NEWUSER admin
trac-admin /var/www/trac permission add $NEWUSER TRAC_ADMIN

And then login to set the email address via https://trac.crin.org.archived.website/trac/prefs.

comment:2 Changed 2 years ago by chris

  • Summary changed from Create accounts for Mathew to Create accounts for Matthew

comment:3 Changed 2 years ago by chris

  • Description modified (diff)

comment:4 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.5
  • Total Hours changed from 0.25 to 0.75

Phone call with Mathew, we discussed:

comment:5 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.25
  • Total Hours changed from 0.75 to 1.0

I have sent Mathew my GPG public key and once I have Mathew's ssh public keys I can create accounts on the servers and we can start using IRC. I'll also now start to get keyringer.pw setup with a git repo on https://bitbucket.org/crin/

comment:6 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0 to 2.25
  • Total Hours changed from 1.0 to 3.25

Mathew and I also discussed archiving http://crinarchive.org/ the old ASP site, as static HTML, I suggested I could run http://www.httrack.com/ via the command line (it is in Debian) on a server to generate a static archive which we could host at archive.crin.org, this wouldn't take long and I expect could do it this month within the monthly hours I have.

I have created Keyringer and getting this setup (including all my errors... Mathew, you can skip most of this and jump to the last few lines of this comment...):

A repo was created at bitbucket.org, https://bitbucket.org/crin/crin-keys

Following https://keyringer.pw/#index3h2

cd ~
mkdir crin-keys
keyringer crin-keys init crin-keys chriscroome@bitbucket.org/crin/crin-keys.git
  fatal: repository 'chriscroome@bitbucket.org/crin/crin-keys.git' does not exist
  Error cloning remote chriscroome@bitbucket.org/crin/crin-keys.git

So The git URL's are wrong above, the docs:

The authenticity of host 'bitbucket.org (104.192.143.1)' can't be established.
RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40.
+---[RSA 2048]----+
|         oE.     |
|        . o .    |
|       . . .     |
|        .o...    |
|      ..S.+= .   |
|       oo+= +    |
|       ooo . .   |
|        ... .    |
|       ..oo.     |
+-----------------+
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'bitbucket.org,104.192.143.1' (RSA) to the list of known hosts.
logged in as chriscroome.

You can use git or hg to connect to Bitbucket. Shell access is disabled.

Starting again:

mv crin-keys/ crin-keys.bak
mkdir crin-keys
cd crin-keys
git init
  Initialized empty Git repository in /home/chris/crin-keys/.git/
git pull
  fatal: 'git@bitbucket.org/chriscroome/crin-keys.git' does not appear to be a git repository
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.

So, try again,

cd ~
rm -rf crin-keys
mkdir crin-keys
cd crin-keys
keyringer crin-keys init /home/chris/crin-keys git@bitbucket.org/crin/crin-keys.git
  fatal: repository 'git@bitbucket.org/crin/crin-keys.git' does not exist
  Error cloning remote git@bitbucket.org/crin/crin-keys.git
cd crin-keys
git init
  Initialized empty Git repository in /home/chris/crin-keys/.git/
git remote add origin git@bitbucket.org/crin/crin-keys.git
  fatal: 'git@bitbucket.org/crin/crin-keys.git' does not appear to be a git repository
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.

So starting again:

rm -rf crin-keys
git clone git@bitbucket.org:crin/crin-keys.git
  Cloning into 'crin-keys'...
  Warning: Permanently added the RSA host key for IP address '104.192.143.3' to the list of known hosts.
  warning: You appear to have cloned an empty repository.
  Checking connectivity... done.

So, the error above was a misformed git URL, with a slash rather than a colon:

keyringer crin-keys init /home/chris/crin-keys git@bitbucket.org/crin/crin-keys.git
  fatal: repository 'git@bitbucket.org/crin/crin-keys.git' does not exist
  Error cloning remote git@bitbucket.org/crin/crin-keys.git
keyringer crin-keys init /home/chris/crin-keys git@bitbucket.org:crin/crin-keys.git
  fatal: destination path '/home/chris/crin-keys' already exists and is not an empty directory.
  Error cloning remote git@bitbucket.org:crin/crin-keys.git
rm -rf ~/crin-keys
keyringer crin-keys init /home/chris/crin-keys git@bitbucket.org:crin/crin-keys.git
  Cloning into '/home/chris/crin-keys'...
  Warning: Permanently added the RSA host key for IP address '104.192.143.2' to the list of known hosts.
  warning: You appear to have cloned an empty repository.
  Checking connectivity... done.

That appears to have worked...

tail -n 1 ~/.keyringer/config 
crin-keys="/home/chris/crin-keys"

So adding a key:

keyringer crin-keys preferences add KEYID=977F6666953B1AA707E3FB5D21062CC48BB2DE91
  No recipient config was found

I can't find a good answer to this, the keyringer script I was using was is from a 2003 git checkout of the keyringer code, now it is in debian and has lots more commands so perhaps the above would have worked if I had used a more recent version, I'm not sure, but I can manually create the files, so:

cd ~/crin-keys
mkdir keys
mkdir -p config/recipients
echo "chris@webarchitects.co.uk 977F6666953B1AA707E3FB5D21062CC48BB2DE91" > config/recipients/default
echo "chris@webarchitects.co.uk 3A8D6BFCE8A0E5630550CDEA3E1A1D2BAA11BDC9" >> config/recipients/default
git add config/recipients/default 
git commit -a
git push
  No refs in common and none specified; doing nothing.
  Perhaps you should specify a branch such as 'master'.
  fatal: The remote end hung up unexpectedly
  error: failed to push some refs to 'git@bitbucket.org:crin/crin-keys.git'

And other have had this issue, so this did the trick:

git push -u origin --all

So creating a test file:

keyringer crin-keys encrypt test
  No option config was found

So, touching that file and trying again:

cd ~/crin-keys
touch config/options
keyringer crin-keys encrypt test
  Configuration version file not found, trying to pull from remotes...
  Creating configuration version file...
  Configuration version differs from keyringer version, trying to pull from remotes
  [master 26d4a19] Config-update-0.1
   1 file changed, 1 insertion(+)
   create mode 100644 config/version
  Upgrade to version 0.1 completed, pushing to remotes...
  fatal: '/home/chris/crin-keys/.git/refs/remotes/origin' does not appear to be a git repository
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  Pushing configuration version file to remotes...
  fatal: '/home/chris/crin-keys/.git/refs/remotes/origin' does not appear to be a git repository
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.
  Type your message and finish your input with EOF (Ctrl-D).

  XYZ

  ^D

The ~/crin-keys/keys/test.asc file was created, so adding it and commiting:

git add keys/test.asc 
git commit -a
git push

And that appears to have worked, sorry this took so long, it was the other techie at Webarchitects that set up our Keyringer repo three years ago and although I use it daily I haven't set up a repo for it before...

Mathew, once I have your public key GPG I should be able to add it and also add you to the bitbucket crin project and then you should be able to check it out and edit, I have added some documentation to Keyringer.

I also came across this, https://tails.boum.org/doc/encryption_and_privacy/keyringer/index.en.html

comment:7 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0 to 1.5
  • Total Hours changed from 3.25 to 4.75

Mathew -- thanks for the public GPG and SSH keys.

Adding the GPG key to Keyringer, first save the key and then import it:

gpg --import mathew.crin.org.asc 
  gpg: key 31D33551: public key "Matthew Edmondson <matthew@crin.org>" imported  
  gpg: Total number processed: 1
  gpg:               imported: 1  (RSA: 1)
gpg --fingerprint 31D33551
  pub   4096R/31D33551 2016-09-13 [expires: 2021-09-12]
        Key fingerprint = D8A3 6DCC CC78 D2D7 5A12  F5BB EE35 E007 31D3 3551
  uid                  Matthew Edmondson <matthew@crin.org>
  sub   4096R/5B3ED3B8 2016-09-13 [expires: 2021-09-12]

So omitting the spaces and prefixing with the email address and adding to the key ringer repo:

cd ~/crin-keys
git pull
echo "matthew@crin.org D8A36DCCCC78D2D75A12F5BBEE35E00731D33551" >> config/recipients/default
git commit -a
git push

I have sent a bitbucket.org invite to Mathew for the crin-keys repo but don't appear to have the permissions to add people to https://bitbucket.org/crin/ but I have sent a message to whoever does via the bitbucket.org interface.

Mathew, if you can follow the documentation at Keyringer and confirm that you can decrypt the test file then I'll start to add seperate files for each service.

Adding ssh accounts to the servers for Mathew, following the steps used previously for Code Positive on ticket:26#comment:3, on Crin4:

sudo -i
export NEWUSER="mathew"
adduser --disabled-password $NEWUSER
adduser $NEWUSER sudo
mkdir /home/$NEWUSER/.ssh
touch /home/$NEWUSER/.ssh/authorized_keys
chmod 600 /home/$NEWUSER/.ssh/authorized_keys
chmod 700 /home/$NEWUSER/.ssh
chown -R $NEWUSER:$NEWUSER  /home/$NEWUSER/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCjXzuuX1Qae9DQ03v/2Quiag3sO3Ge3DULJAGYgEvlxcXYPAUsEE5Hk/UGP1oBL/BOBLZ2L+4JBbb7pted3StdNfQDB03GHYinnDSIll+nx6hv2VqY7UGOBdoPAX3Otfv9IW9zEH8qaRVOl6VQYAn6fczLbzL/8zXK4pNiR+4jVJJHR01IM5CHeYk2iQdD2jtuUrBvpEYXxlmBlauHGrmwLkGdESH5KrBV58+Up6z79QkoQnEtrs5LKWidGW3Qgh79NSOENm56xeJLc22FMr8Jf2IX6AnXDw7vnFCA9xOg9a2vuI9ARuvE46V/PZOPVKTm87MJvDGo941yKPXqOhdH amnesia@amnesia" > /home/$NEWUSER/.ssh/authorized_keys

And repeating for Crin1, Crin2 and Crin3.

Mathew, you should be able to ssh to all four servers now and you have password-less sudo:

ssh mathew@crin1.crin.org
ssh mathew@crin2.crin.org
ssh mathew@crin3.crin.org
ssh mathew@crin4.crin.org

Please check the ssh fingerprints when you connect for the first time:

comment:8 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.3
  • Total Hours changed from 4.75 to 5.05

Mathew needs my public GPG keys sorry that wasn't made clear on Keyringer and also it isn't clear how to get the key ID from the fingerprints which are saved in the git repo, the keys in question:

gpg --fingerprint 8BB2DE91
pub   1024D/8BB2DE91 2001-01-08
      Key fingerprint = 977F 6666 953B 1AA7 07E3  FB5D 2106 2CC4 8BB2 DE91
uid                  Chris Croome <chris@webarchitects.co.uk>
sub   4096g/B35F15E0 2015-07-08 [expires: 2018-07-07]

And:

gpg --fingerprint AA11BDC9
pub   4096R/AA11BDC9 2013-10-18
      Key fingerprint = 3A8D 6BFC E8A0 E563 0550  CDEA 3E1A 1D2B AA11 BDC9
uid                  Chris Croome <chris@webarchitects.co.uk>
sub   4096R/FE3EEC4E 2013-10-18

Both of these keys are available on public key servers:

gpg --search 8BB2DE91
gpg --search AA11BDC9

The settings I have in ~/.gnupg/gpg.conf for keyservers is:

keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/home/chris/.gnupg/sks-keyservers.netCA.pem

You can get a copy of this public key from the link here:

Hope that helps!

comment:9 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.25
  • Total Hours changed from 5.05 to 5.3

Added Keyringer#Keyringerconfigfiles to the documentation.

comment:10 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.1
  • Total Hours changed from 5.3 to 5.4

Mathew can't find the first GPG public key above, so checking tyhat I can get it from the keyserver:

gpg --search 8BB2DE91
gpg: searching for "8BB2DE91" from hkps server hkps.pool.sks-keyservers.net
gpgkeys: HTTP search error 56: Received HTTP code 503 from proxy after CONNECT
gpg: key "8BB2DE91" not found on keyserver
gpg: keyserver internal error
gpg: keyserver search failed: keyserver error

That failed as gpg clearly respects the HTTPS_PROXY envvar so, starting the proxy and trying again:

gpg --search 8BB2DE91
gpg: searching for "8BB2DE91" from hkps server hkps.pool.sks-keyservers.net
(1)     Chris Croome <chris@mkdoc.com>
        Chris Croome <chris@croome.net>
        Chris Croome <chris@marxists.org.uk>
        Chris Croome <chris@webarchitects.co.uk>
          1024 bit DSA key 8BB2DE91, created: 2001-01-08
Keys 1-1 of 1 for "8BB2DE91".  Enter number(s), N)ext, or Q)uit > q

Seems to work for me...

Version 0, edited 2 years ago by chris (next)

comment:11 Changed 2 years ago by chris

  • Add Hours to Ticket changed from 0 to 0.5
  • Total Hours changed from 5.4 to 5.9

I have added all the logins I have to the keyringer repo, I think this ticket is probably OK to close now?

comment:12 Changed 21 months ago by chris

  • Add Hours to Ticket changed from 0 to 0.9
  • Total Hours changed from 5.9 to 6.8

Removing Matthew's accounts and changing the passwords for everything as he is no longer working for CRIN, starting with the Keyringer key store:

vi config/recipients/default
git commit -a
git push

Then edit a key:

keyringer crin-keys edit test.asc
git commit -a
git push
  Connection timed out during banner exchange
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.

So that's odd...

Checking Bitbucket and the repo does exist, https://bitbucket.org/crin/crin-keys

So backup and clone:

cd
mv crin-keys crin-keys.bak
git clone git@bitbucket.org:crin/crin-keys.git

And try again:

keyringer crin-keys edit test.asc
cd crin-keys
git commit -a
git push
  Connection timed out during banner exchange
  fatal: Could not read from remote repository.
  
  Please make sure you have the correct access rights
  and the repository exists.

Hmm....

cd keys/
git commit -a
git push

That worked, testing who the file is encrypted for (don't decrypt it just keep hitting enter):

gpg --list-packets test.asc 
...
  gpg: encrypted with 4096-bit RSA key, ID FE3EEC4E, created 2013-10-18
        "Chris Croome <chris@webarchitects.co.uk>"
  gpg: encrypted with 4096-bit ELG-E key, ID B35F15E0, created 2015-07-08
        "Chris Croome <chris@webarchitects.co.uk>"

So that worked, so editing all the files... and committing them and now Matthew can't open the latest versions of the files so now I can start changing the passwords for everything, but that task is going to have to wait till tomorrow...

Last edited 20 months ago by chris (previous) (diff)

comment:13 Changed 21 months ago by chris

  • Add Hours to Ticket changed from 0 to 0.45
  • Total Hours changed from 6.8 to 7.25

Removing accounts on the four servers:

sudo -i
userdel -r mathew

On Crin4:

userdel -r mathew
  userdel: user mathew is currently used by process 3727
ps -lA | grep 3727
  1 S  1006  3727     1  0  80   0 -  6532 -      ?        00:12:25 tmux
  0 S  1006  3728  3727  0  80   0 -  5999 -      pts/1    00:00:00 bash
  0 S  1006  4032  3727  0  80   0 -  5994 -      pts/2    00:00:00 bash
  0 S  1006  4035  3727  0  80   0 -  5994 -      pts/3    00:00:00 bash
killall tmux
userdel -r mathew

Matthew didn't have an account on Crin3, the backup server.

While I was at it, accounts for jonas, who left CRIN a while ago was also removed from Crin1, he didn't have accouts on other servers.

userdel -r jonas

Removing Trac accounts was done by removing the jonas and matthew lines from /var/www/trac/.htpasswd -- this will prevent logins, which is all that is needed, no need to delete any content and there is no webbased password reset ability.

comment:14 Changed 21 months ago by chris

  • Add Hours to Ticket changed from 0 to 1.25
  • Total Hours changed from 7.25 to 8.5

root and chris passwords changes on Crin1 and phpMyAdmin HTTP Authentication password changed:

cd /etc/phpmyadmin/
rm .htpasswd
htdigest -c .htpasswd phpmyadmin crin
chown root:www-data .htpasswd
chmod 640 .htpasswd

The Piwik passwd was changed and this cause the Auth Token to change so this needs changing in Drupal, so generate a one time login on Crin2:

su - bitbucket -s /bin/bash
cd /var/www/prod/
drush uli

And go to Configuration -> System -> Piwik and it turns out that unlike the WordPress plugin the Drupal one doesn't need the Auth Token.

ownCloud passwords changes.

Trac password for chris changed:

cd /var/www/trac
htdigest .htpasswd trac chris

And on Crin2 the root and chris passwords were changed, on Crin4 the andrew and root passwords were changed and on Crin3 the chris and root passwords were changed.

The still outstanding password changes:

  • Google
  • 1984.is
  • Advania
  • S3QL

comment:15 Changed 20 months ago by chris

  • Add Hours to Ticket changed from 0 to 1
  • Total Hours changed from 8.5 to 9.5

Updating passwords.

Note: See TracTickets for help on using tickets.