Opened 2 years ago
Last modified 20 months ago
#79 new task
Create accounts for Matthew
Reported by: | chris | Owned by: | chris |
---|---|---|---|
Priority: | major | Milestone: | Maintenance |
Component: | backups | Version: | |
Keywords: | Cc: | matthew | |
Estimated Number of Hours: | 0 | Add Hours to Ticket: | 0 |
Billable?: | yes | Total Hours: | 9.5 |
Description (last modified by chris)
Create Trac and other accounts for Matthew.
Change History (15)
comment:1 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.25
- Cc matthew added
- Total Hours set to 0.25
comment:2 Changed 2 years ago by chris
- Summary changed from Create accounts for Mathew to Create accounts for Matthew
comment:3 Changed 2 years ago by chris
- Description modified (diff)
comment:4 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.5
- Total Hours changed from 0.25 to 0.75
Phone call with Mathew, we discussed:
- SSH access to servers
- Drupal, live, dev and staging admin access
- Solr
- IRC: #crin on irc.freenode.net
- MediaWiki
- ownCloud - delete? Mathew to check
- Piwik
- phpMyAdmin HTTP Auth
- 1984.is
- bitbucket.org
- set up https://keyringer.pw/ repo on bitbucket.org
comment:5 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.25
- Total Hours changed from 0.75 to 1.0
I have sent Mathew my GPG public key and once I have Mathew's ssh public keys I can create accounts on the servers and we can start using IRC. I'll also now start to get keyringer.pw setup with a git repo on https://bitbucket.org/crin/
comment:6 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 2.25
- Total Hours changed from 1.0 to 3.25
Mathew and I also discussed archiving http://crinarchive.org/ the old ASP site, as static HTML, I suggested I could run http://www.httrack.com/ via the command line (it is in Debian) on a server to generate a static archive which we could host at archive.crin.org, this wouldn't take long and I expect could do it this month within the monthly hours I have.
I have created Keyringer and getting this setup (including all my errors... Mathew, you can skip most of this and jump to the last few lines of this comment...):
A repo was created at bitbucket.org, https://bitbucket.org/crin/crin-keys
Following https://keyringer.pw/#index3h2
cd ~ mkdir crin-keys keyringer crin-keys init crin-keys chriscroome@bitbucket.org/crin/crin-keys.git fatal: repository 'chriscroome@bitbucket.org/crin/crin-keys.git' does not exist Error cloning remote chriscroome@bitbucket.org/crin/crin-keys.git
So The git URL's are wrong above, the docs:
The authenticity of host 'bitbucket.org (104.192.143.1)' can't be established. RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40. +---[RSA 2048]----+ | oE. | | . o . | | . . . | | .o... | | ..S.+= . | | oo+= + | | ooo . . | | ... . | | ..oo. | +-----------------+ Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'bitbucket.org,104.192.143.1' (RSA) to the list of known hosts. logged in as chriscroome. You can use git or hg to connect to Bitbucket. Shell access is disabled.
Starting again:
mv crin-keys/ crin-keys.bak mkdir crin-keys cd crin-keys git init Initialized empty Git repository in /home/chris/crin-keys/.git/ git pull fatal: 'git@bitbucket.org/chriscroome/crin-keys.git' does not appear to be a git repository fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
So, try again,
cd ~ rm -rf crin-keys mkdir crin-keys cd crin-keys keyringer crin-keys init /home/chris/crin-keys git@bitbucket.org/crin/crin-keys.git fatal: repository 'git@bitbucket.org/crin/crin-keys.git' does not exist Error cloning remote git@bitbucket.org/crin/crin-keys.git cd crin-keys git init Initialized empty Git repository in /home/chris/crin-keys/.git/ git remote add origin git@bitbucket.org/crin/crin-keys.git fatal: 'git@bitbucket.org/crin/crin-keys.git' does not appear to be a git repository fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
So starting again:
rm -rf crin-keys git clone git@bitbucket.org:crin/crin-keys.git Cloning into 'crin-keys'... Warning: Permanently added the RSA host key for IP address '104.192.143.3' to the list of known hosts. warning: You appear to have cloned an empty repository. Checking connectivity... done.
So, the error above was a misformed git URL, with a slash rather than a colon:
keyringer crin-keys init /home/chris/crin-keys git@bitbucket.org/crin/crin-keys.git fatal: repository 'git@bitbucket.org/crin/crin-keys.git' does not exist Error cloning remote git@bitbucket.org/crin/crin-keys.git keyringer crin-keys init /home/chris/crin-keys git@bitbucket.org:crin/crin-keys.git fatal: destination path '/home/chris/crin-keys' already exists and is not an empty directory. Error cloning remote git@bitbucket.org:crin/crin-keys.git rm -rf ~/crin-keys keyringer crin-keys init /home/chris/crin-keys git@bitbucket.org:crin/crin-keys.git Cloning into '/home/chris/crin-keys'... Warning: Permanently added the RSA host key for IP address '104.192.143.2' to the list of known hosts. warning: You appear to have cloned an empty repository. Checking connectivity... done.
That appears to have worked...
tail -n 1 ~/.keyringer/config crin-keys="/home/chris/crin-keys"
So adding a key:
keyringer crin-keys preferences add KEYID=977F6666953B1AA707E3FB5D21062CC48BB2DE91 No recipient config was found
I can't find a good answer to this, the keyringer script I was using was is from a 2003 git checkout of the keyringer code, now it is in debian and has lots more commands so perhaps the above would have worked if I had used a more recent version, I'm not sure, but I can manually create the files, so:
cd ~/crin-keys mkdir keys mkdir -p config/recipients echo "chris@webarchitects.co.uk 977F6666953B1AA707E3FB5D21062CC48BB2DE91" > config/recipients/default echo "chris@webarchitects.co.uk 3A8D6BFCE8A0E5630550CDEA3E1A1D2BAA11BDC9" >> config/recipients/default git add config/recipients/default git commit -a git push No refs in common and none specified; doing nothing. Perhaps you should specify a branch such as 'master'. fatal: The remote end hung up unexpectedly error: failed to push some refs to 'git@bitbucket.org:crin/crin-keys.git'
And other have had this issue, so this did the trick:
git push -u origin --all
So creating a test file:
keyringer crin-keys encrypt test No option config was found
So, touching that file and trying again:
cd ~/crin-keys touch config/options keyringer crin-keys encrypt test Configuration version file not found, trying to pull from remotes... Creating configuration version file... Configuration version differs from keyringer version, trying to pull from remotes [master 26d4a19] Config-update-0.1 1 file changed, 1 insertion(+) create mode 100644 config/version Upgrade to version 0.1 completed, pushing to remotes... fatal: '/home/chris/crin-keys/.git/refs/remotes/origin' does not appear to be a git repository fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. Pushing configuration version file to remotes... fatal: '/home/chris/crin-keys/.git/refs/remotes/origin' does not appear to be a git repository fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. Type your message and finish your input with EOF (Ctrl-D). XYZ ^D
The ~/crin-keys/keys/test.asc file was created, so adding it and commiting:
git add keys/test.asc git commit -a git push
And that appears to have worked, sorry this took so long, it was the other techie at Webarchitects that set up our Keyringer repo three years ago and although I use it daily I haven't set up a repo for it before...
Mathew, once I have your public key GPG I should be able to add it and also add you to the bitbucket crin project and then you should be able to check it out and edit, I have added some documentation to Keyringer.
I also came across this, https://tails.boum.org/doc/encryption_and_privacy/keyringer/index.en.html
comment:7 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 1.5
- Total Hours changed from 3.25 to 4.75
Mathew -- thanks for the public GPG and SSH keys.
Adding the GPG key to Keyringer, first save the key and then import it:
gpg --import mathew.crin.org.asc gpg: key 31D33551: public key "Matthew Edmondson <matthew@crin.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg --fingerprint 31D33551 pub 4096R/31D33551 2016-09-13 [expires: 2021-09-12] Key fingerprint = D8A3 6DCC CC78 D2D7 5A12 F5BB EE35 E007 31D3 3551 uid Matthew Edmondson <matthew@crin.org> sub 4096R/5B3ED3B8 2016-09-13 [expires: 2021-09-12]
So omitting the spaces and prefixing with the email address and adding to the key ringer repo:
cd ~/crin-keys git pull echo "matthew@crin.org D8A36DCCCC78D2D75A12F5BBEE35E00731D33551" >> config/recipients/default git commit -a git push
I have sent a bitbucket.org invite to Mathew for the crin-keys repo but don't appear to have the permissions to add people to https://bitbucket.org/crin/ but I have sent a message to whoever does via the bitbucket.org interface.
Mathew, if you can follow the documentation at Keyringer and confirm that you can decrypt the test file then I'll start to add seperate files for each service.
Adding ssh accounts to the servers for Mathew, following the steps used previously for Code Positive on ticket:26#comment:3, on Crin4:
sudo -i export NEWUSER="mathew" adduser --disabled-password $NEWUSER adduser $NEWUSER sudo mkdir /home/$NEWUSER/.ssh touch /home/$NEWUSER/.ssh/authorized_keys chmod 600 /home/$NEWUSER/.ssh/authorized_keys chmod 700 /home/$NEWUSER/.ssh chown -R $NEWUSER:$NEWUSER /home/$NEWUSER/.ssh echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCjXzuuX1Qae9DQ03v/2Quiag3sO3Ge3DULJAGYgEvlxcXYPAUsEE5Hk/UGP1oBL/BOBLZ2L+4JBbb7pted3StdNfQDB03GHYinnDSIll+nx6hv2VqY7UGOBdoPAX3Otfv9IW9zEH8qaRVOl6VQYAn6fczLbzL/8zXK4pNiR+4jVJJHR01IM5CHeYk2iQdD2jtuUrBvpEYXxlmBlauHGrmwLkGdESH5KrBV58+Up6z79QkoQnEtrs5LKWidGW3Qgh79NSOENm56xeJLc22FMr8Jf2IX6AnXDw7vnFCA9xOg9a2vuI9ARuvE46V/PZOPVKTm87MJvDGo941yKPXqOhdH amnesia@amnesia" > /home/$NEWUSER/.ssh/authorized_keys
And repeating for Crin1, Crin2 and Crin3.
Mathew, you should be able to ssh to all four servers now and you have password-less sudo:
ssh mathew@crin1.crin.org ssh mathew@crin2.crin.org ssh mathew@crin3.crin.org ssh mathew@crin4.crin.org
Please check the ssh fingerprints when you connect for the first time:
comment:8 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.3
- Total Hours changed from 4.75 to 5.05
Mathew needs my public GPG keys sorry that wasn't made clear on Keyringer and also it isn't clear how to get the key ID from the fingerprints which are saved in the git repo, the keys in question:
gpg --fingerprint 8BB2DE91 pub 1024D/8BB2DE91 2001-01-08 Key fingerprint = 977F 6666 953B 1AA7 07E3 FB5D 2106 2CC4 8BB2 DE91 uid Chris Croome <chris@webarchitects.co.uk> sub 4096g/B35F15E0 2015-07-08 [expires: 2018-07-07]
And:
gpg --fingerprint AA11BDC9 pub 4096R/AA11BDC9 2013-10-18 Key fingerprint = 3A8D 6BFC E8A0 E563 0550 CDEA 3E1A 1D2B AA11 BDC9 uid Chris Croome <chris@webarchitects.co.uk> sub 4096R/FE3EEC4E 2013-10-18
Both of these keys are available on public key servers:
gpg --search 8BB2DE91 gpg --search AA11BDC9
The settings I have in ~/.gnupg/gpg.conf for keyservers is:
keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options ca-cert-file=/home/chris/.gnupg/sks-keyservers.netCA.pem
You can get a copy of this public key from the link here:
Hope that helps!
comment:9 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.25
- Total Hours changed from 5.05 to 5.3
Added Keyringer#Keyringerconfigfiles to the documentation.
comment:10 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.1
- Total Hours changed from 5.3 to 5.4
Mathew can't find the first GPG public key above, so checking tyhat I can get it from the keyserver:
gpg --search 8BB2DE91 gpg: searching for "8BB2DE91" from hkps server hkps.pool.sks-keyservers.net gpgkeys: HTTP search error 56: Received HTTP code 503 from proxy after CONNECT gpg: key "8BB2DE91" not found on keyserver gpg: keyserver internal error gpg: keyserver search failed: keyserver error
That failed as gpg clearly respects the HTTPS_PROXY envvar so, starting the proxy and trying again:
gpg --search 8BB2DE91 gpg: searching for "8BB2DE91" from hkps server hkps.pool.sks-keyservers.net (1) Chris Croome <chris@mkdoc.com> Chris Croome <chris@croome.net> Chris Croome <chris@marxists.org.uk> Chris Croome <chris@webarchitects.co.uk> 1024 bit DSA key 8BB2DE91, created: 2001-01-08 Keys 1-1 of 1 for "8BB2DE91". Enter number(s), N)ext, or Q)uit > q
Seems to work for me...
comment:11 Changed 2 years ago by chris
- Add Hours to Ticket changed from 0 to 0.5
- Total Hours changed from 5.4 to 5.9
I have added all the logins I have to the keyringer repo, I think this ticket is probably OK to close now?
comment:12 Changed 21 months ago by chris
- Add Hours to Ticket changed from 0 to 0.9
- Total Hours changed from 5.9 to 6.8
Removing Matthew's accounts and changing the passwords for everything as he is no longer working for CRIN, starting with the Keyringer key store:
vi config/recipients/default git commit -a git push
Then edit a key:
keyringer crin-keys edit test.asc git commit -a git push Connection timed out during banner exchange fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
So that's odd...
Checking Bitbucket and the repo does exist, https://bitbucket.org/crin/crin-keys
So backup and clone:
cd mv crin-keys crin-keys.bak git clone git@bitbucket.org:crin/crin-keys.git
And try again:
keyringer crin-keys edit test.asc cd crin-keys git commit -a git push Connection timed out during banner exchange fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.
Hmm....
cd keys/ git commit -a git push
That worked, testing who the file is encrypted for (don't decrypt it just keep hitting enter):
gpg --list-packets test.asc ... gpg: encrypted with 4096-bit RSA key, ID FE3EEC4E, created 2013-10-18 "Chris Croome <chris@webarchitects.co.uk>" gpg: encrypted with 4096-bit ELG-E key, ID B35F15E0, created 2015-07-08 "Chris Croome <chris@webarchitects.co.uk>"
So that worked, so editing all the files... and committing them and now Matthew can't open the latest versions of the files so now I can start changing the passwords for everything, but that task is going to have to wait till tomorrow...
comment:13 Changed 21 months ago by chris
- Add Hours to Ticket changed from 0 to 0.45
- Total Hours changed from 6.8 to 7.25
Removing accounts on the four servers:
sudo -i userdel -r mathew
On Crin4:
userdel -r mathew userdel: user mathew is currently used by process 3727 ps -lA | grep 3727 1 S 1006 3727 1 0 80 0 - 6532 - ? 00:12:25 tmux 0 S 1006 3728 3727 0 80 0 - 5999 - pts/1 00:00:00 bash 0 S 1006 4032 3727 0 80 0 - 5994 - pts/2 00:00:00 bash 0 S 1006 4035 3727 0 80 0 - 5994 - pts/3 00:00:00 bash killall tmux userdel -r mathew
Matthew didn't have an account on Crin3, the backup server.
While I was at it, accounts for jonas, who left CRIN a while ago was also removed from Crin1, he didn't have accouts on other servers.
userdel -r jonas
Removing Trac accounts was done by removing the jonas and matthew lines from /var/www/trac/.htpasswd -- this will prevent logins, which is all that is needed, no need to delete any content and there is no webbased password reset ability.
comment:14 Changed 21 months ago by chris
- Add Hours to Ticket changed from 0 to 1.25
- Total Hours changed from 7.25 to 8.5
root and chris passwords changes on Crin1 and phpMyAdmin HTTP Authentication password changed:
cd /etc/phpmyadmin/ rm .htpasswd htdigest -c .htpasswd phpmyadmin crin chown root:www-data .htpasswd chmod 640 .htpasswd
The Piwik passwd was changed and this cause the Auth Token to change so this needs changing in Drupal, so generate a one time login on Crin2:
su - bitbucket -s /bin/bash cd /var/www/prod/ drush uli
And go to Configuration -> System -> Piwik and it turns out that unlike the WordPress plugin the Drupal one doesn't need the Auth Token.
ownCloud passwords changes.
Trac password for chris changed:
cd /var/www/trac htdigest .htpasswd trac chris
And on Crin2 the root and chris passwords were changed, on Crin4 the andrew and root passwords were changed and on Crin3 the chris and root passwords were changed.
The still outstanding password changes:
- 1984.is
- Advania
- S3QL
comment:15 Changed 20 months ago by chris
- Add Hours to Ticket changed from 0 to 1
- Total Hours changed from 8.5 to 9.5
Updating passwords.
Following wiki:Trac#CreateanTracaccount
And then login to set the email address via https://trac.crin.org.archived.website/trac/prefs.