Ubuntu Hardy setup - page 1

You guys rock!

Did something change in this version of visudo? I'm having trouble editing. It seems as though the key mappings are all messed up. It was find on Gusty, but hardy is acting up.

Delete and backspace doesn't work right, and my arrow keys have been replaced with uppercase A and B etc.

I've never had this sort of trouble before.

Btw, I'm running leopard and using it's native terminal.

Any ideas?

Or use nano /etc/sudoers

What you'll want to do is set vi (or in this case, vim) into nocompatible mode. To do this, type ':set nocompatible' (without the quotes) in any vi session.

To make that change permanent, create a file called .vimrc in your home dir, with 'set nocompatible' in it (without the quotes)

I had never used visudo before today, and it would have been helpful for me (and probably others that lack visudo or vi experience) to quickly explain that when the file opens they need to hit "j" until they get to the last line, then hit "o" to create a new line below the current line and puts them in insert mode to type the "demo ALL..." and the hit ESC and then type "ZZ" to save and exit.

It's barfing on me at: iptables-save > /etc/iptables.up.rules if i try it (with sudo) while logged in as my admin user, i get permission denied. when i try it as root, i get: -bash: iptables-save: command not found

no idea

Chris, if you're not signed in as root, use:

sudo su -c "iptables-save > /etc/iptables.up.rules"

(include the quotes)

That got me too.

For the iptables -L part the second time, the first line reads:

ACCEPT all -- anywhere anywhere

Is this correct? Shouldn't it reject all from anywhere?

I'm curious how I would modify my firewall to allow access for sftp and also to allow access to mysql on port 3306 (or some other port). What entries would I need in the iptables.test.rules file? Also, can I just repeat the steps listed even if I have already followed the instructions above to create a firewall?

On another post for setting up SSH keys on windows with putty

If I remember right, it's generally a bad idea to edit /etc/sudoers except through visudo. It has extra checks to make sure you don't accidentally lock everyone out of sudo access.

Thanks for these tutorials. They're amazing. You really narrow it down.

If you're unfamiliar with vi, before launching visudo, type this into your shell:

export EDITOR=nano

Now, visudo should use nano instead of vi, which will make things a little easier for you.

Excellent article!!

Perfect! Thanks!

Fantastic tutorial! Best I've read in a while. I'm well versed in setting up servers and I'm moving from Gentoo (for convenience reasons) and this article was very helpful.

If you are having problems logging in via ssh with sshvulnkey public key denied. It is because your version of openssh has had a faw for the past 2 years (Debian based distros). You can test your keys on the server - ssh-vulnkey authorized_keys

Simply run apt-get install openssh-server on your local workstation and regenerate the keys and re-send your public key to the remote server. This will solve your problems.

Good luck. Hopefully this comment will be added to the main article.

One question: how is sudo + "demo ALL=(ALL) ALL" different than running as root? Doesn't it give all the same privili^H^H^H^H^H^H^Hopportunities to mess up?

In general, you just never want to do an interactive root login. Aside from advertising the fact that root logons are enabled, your root credentials could also be intercepted. Once your secure connection is established, everything is encrypted and you can safely su/sudo.

... there's also the fact that you're making the attacker break two passwords to gain access, if you've been sly enough to use a different user password than your root password ;)

Regarding the iptables, and the suggestion that "if you are completing this step at a later date using the admin user, you will need to put a 'sudo' in front of the commands." Actually, we cannot use sudo to redirect output, so you need to do the following (note the quotes around the command): sudo bash -c 'iptables-save > /etc/iptables.up.rules'

Otherwise, these articles are all extremely helpful and set SliceHost apart from more generic hosting systems.

Ubuntu's Server Guide and Wiki suggest using ufw as the firewall. Ufw looks simpler than iptables.

I change the /etc/ssh/sshd_config file so that Port 30000 instead of Port 22 is used.

After /etc/init.d/ssh reload, I'm getting a connection refused at port 30000. ssh is still available at port 22.

What do you think I may be doing wrong?

If you're using OSX, you should probably use vim rather than vi or nano (as the latter two have some kind of weird problem with keys).

Thank you very much for this article - its a snap now to setup my slice!

in the iptables config, I'm doing as you say for my slice.

But how come replacing one line ..

-A INPUT -p tcp --dport 80 -j ACCEPT

.. with ..

-A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

.. seems to break the loading of the rules?

Yes yes, I'm some lame Java user needing Jetty or Tomcat on port 8080 !

Perfect article. Up and running just fine. Some weirdness w/ the Macbook keyboard but quickly figured things out (hint: the fn key stands for 'magic')

@Darryl Hamilton: Thanks much for the set nocompatible tip. Works like a charm.

When I try to reload the SSH, I get:

ignoring bad proto spec: '30000'. /etc/ssh/sshd_config line 9: Bad protocal spec '30000'.

I switched the port to 30000 and copied the file exactly as you had it. Any ideas?

OOPS! Never mind. I got the protocol and port mixed up. I'm not supposed to run with scissors either.

+1 for Ken's question. How should I tweak these settings to enable MySQL access from another box (for replication).

excellent guide. thanks.

When I apply th new rules, I get this erro: iptables-restore < /etc/iptables.test.rules
iptables-restore v1.3.8: Can't use -A with -A Any ideas? Thanks

eman: You rock! It took me over 6 hours to configure ssh working with public/private key in my slice using various methods without success until I tried your suggestion. Thanks a lot!

PickledOninon: can you add eman's suggestion to the article? It would definitely help.

I suspect that you have put the pre-up line in the wrong place. I think it belongs with the primary interface, not the loopback one.

To repeat a comment that I put on the Feisty install page:

djwonk commented Fri Oct 12 18:39:59 UTC 2007 ago: In my case, the pre-up line should go after the 'iface eth0' line: auto eth0 iface eth0 inet static pre-up iptables-restore < /etc/iptables.up.rules

Putting it "just after 'iface lo inet loopback'" like you locked me out from external ssh access. I had to use the console to repair things.

I have a screencast where I follow these instructions. You can view it at http://programminggems.wordpress.com/2008/09/07/slicehost/

Hey this is a great tutorial, but have one minor problem. A geek friend is gonna help me out with developing and I want to give him ssh access. How is he supposed to login? Do I have to scp him a copy of the key? I know you said not to.

I'm a bit of a linux noob, and I found this tutorial incredibly easy to follow! Thanks for the help Pickled!

An extra tip that might be helpful to users scanning the comments: add an entry to your local computer's .ssh/config file. The following would be a good option

host slice
 user demo
 hostname demoslice.com
 port 30000

This will not only keep you from having to type in -p 30000 every time you do something ssh related, but it will also allow you to set up other services (ie git repository) with ease!

Thanks again for the help Pickled.

I've gone through the instructions twice and it keeps coming back with "Operation Timed Out" when I try to SSH in with the user account. Any guesses?

Excellent tutorial. Thank you!

Spot on tutorial. Worked the first time for me. Thanks.

@Gman - just have your buddy generate an SSH keypair and put his public key into your /root/.ssh/authorized_keys file. No need to enable password auth, and any SSH client worth using can auth with a public key.

A couple more comments - put a passphrase on your ssh keypair and use "ssh-agent" (via "ssh-add") and you won't need to type your passphrase for every connection (it's cached into ssh-agent). You get two-factor authentication for free.

I personally leave SSH on the default port and firewall it off from everywhere but a few IP addresses, but that's me. Better to lock down the port than move it around.

Yes, this tutorial requires careful attention it seems - I chose not to change my sshd port, or anyhow hadn't restarted my ssh session - and then running the iptables config blocked the port I was using (same with a couple folks above, it seems), requiring a reboot of the server.

So, be sure to ensure that the port you are accessing the server through at the time remains open in the iptables config before testing it.

Note, I was wrong in the above note - sorry! Established connections are not blocked, as explained later in the tutorial.

What I did, though, was

iptables-restore > etc.iptables.test.rules

note the wrong sign - now, this totally disabled connectivity until a reboot. I know what '<' and '>' mean in bash, too, so I should have known better!

Just a note to those having problems with vim in Ubuntu hardy with it inserting wierd cahracters for the arrow keys, I figured out the problem.

Basically, hardy ships with the vim-tiny package instead of the vim package, and there's some difference that makes everything work OK in regular vim but not vim-tiny.

To fix, run sudo apt-get remove vim-tiny vim-runtime vim-common followed by sudo apt-get install vim-runtime vim-common vim

You might actually only have to remove vim-tiny and add vim but I wasn't sure so I did all the vim packages.

This command will show more info about the firewall rules:

sudo iptables -L -v

I can't setup sudo priviliges for one of the accounts I created with adduser. I visudo and added the line demo ALL=(ALL) ALL at the end of /etc/sudoers but I still get and error when I sudo from demo: sudo ls / [sudo] password for pts: Sorry, try again.

Really good series of articles.

Just some important things to keep in mind for setting up ssh that I found useful:

1. Changes to /etc/ssh/sshd_config are not noted by the the ssh daemon until you load them with /etc/init.d/ssh reload. You must do this every time you edit the file to change the port, add a user, etc. Then the changes take place. If you don't do this reload then you are only doing password authentication and not key authentication. Worse still - you think you're fully secure because you may not know any better (like me for the last week).

2. To add another user to ssh you can simply get him to generate the public-private key pair, then get him to email you public key and follow the instructions as above for his new user account.

3. It's not a good idea to switch off passwords on the private key. You can still log on securely without the private key password with ssh_agent as follows:

4. Go to /home/<your_acc>/.ssh directory on your local machine (not the slice)
5. Type ssh-add <private>
6. Enter private key password

7. You can now log on more securely without pwd

8. If you didn't add a pwd on your private key file at the start then you can still do this as follows

9. Go to /home/<your_acc>/.ssh directory on local machine (not the slice)
10. Type ssh-keygen -p
11. You are prompted to enter relevant private key file name and to set new password on it.

I've completed the tutorial (twice). When I attempt to SSH in, I'm still asked for a password. Given that I have PasswordAuthentication to "no", I cannot log in.

I'm on Leopard.

I ran through the tutorial again, this time forgoing a password for the SSH key, and I can now log in without a password. However, I had to type the following on my local machine (again, running OS X 10.5):

ssh-add nameof_mykey

After that it worked. I'll also add that I named my key something other than the id_rsa. While I can log in okay, I get the following error every time I do:

key_read: uudecode (bunch of characters) failed

Any ideas?

Thanks for the well written tutorial! I can't wait to get my site up and running on a real host. I think I'm going to burn my copy of windows and learn unix after this...

No matter what I do I can never save my sshd_config. I always get the following error: [ Error writing /etc/ssh/sshd_config: Permission denied ]

I have followed the article to the letter several time with the same result. If I log out and try again I get a warning about a .tmp file and no matter what I can proceed no further. Please help.

Really good article...

I need to use password authentication as I need access from several locations.

Are there any other settings in the supplied sshd_config file that need to be changed apart from 'PasswordAuthentication no' to allow me access. PuTTy is connecting but closing as soon as I enter my user password.

Worked like a charm. Appreciate the time put into this.

I was getting crazy behavior when running the vi commands, so I just did a quick: apt-get install vim and everything 300% more sane.

I've noticed that the /etc/network/interfaces file gets overwritten each time I get a new IP address assigned to the slice. Might be something worth paying attention to.

Hi - thanks for a great article. I have one annoying problem though - I have turned off root login, created the new user, allowed access to the user and set 'ALL' privileges. The new user can login just fine from SSH and SFTP - I can do most things I want but when I try to edit files using Coda (my SFTP client), I get a permission denied message. I have re-checked the "[myusernmae] ALL=(ALL) ALL" line and that seems to be intact. Any ideas?

Hi, Thanks for this great service. i just setup my slice and everything went fine. I was just installing proftpd on my slice.

i installed proftpd using "sudo aptitude install proftpd" command. proftpd is running as inetd. not as a standalone server.

But i am not able to connect to server using ftp client. I guess ftp ports 21 and 20 are not allowed in iptables firewall.

can you please help me on how to open ftp ports in iptables.

Thanks

I've always locked the root account as well with passwd root -l

Is there still any value in that if root ssh has been disabled?

How in the world does one get multiple SSH keys to work on a server? I can log in from my mac to my primary server no problem - the generated key works fine. I have then generated a public/private key from my second server and SCP'd the public key across to the primary server, and then edited the authorizedkeys file to add in the pub key, but it still asks me for a password. I have also tried creating a authorizedkey2 file on the primary server for the second pub key, but no luck. Any ideas?

Just as a quick note, > redirects stdout into a file. If you don't have permission to edit that file, however, it'll fail. If you want to replicate this, pipe to sudo tee to write stdout to a file.

For example:

sudo iptables-save | sudo tee /etc/iptables.up.rules

@sipskin re: multiple SSH keys on a server... see here

hope that helps!

What settings should I use in the IPtables to allow remote connections to MySql? Thanks!

I've made it wrong the first time, so I'd like to suggest a change:

Where you read: Let's assume you've decided that you want a firewall. Create the file /etc/iptables.test.rules and add some rules to it. nano /etc/iptables.test.rules Look at this example iptables configuration file.

I think you'd better add something like: Don't forget to change 3000 port in the rule bellow: -A INPUT -p tcp -m state --state NEW --dport 30000 -j ACCEPT

It's silly but I've made it wrong and could't log in again after restarting ssh until I fixed it.

Sorry for the english.

Thanks for this tutorial. I hate doing Linux stuff on my own, and I especially hate trying to figure out what things to do.

Running the 'ssh-copy-id' command locally was a lot easier for me than the 6 manual commands shown here.

I didn't have any problems using nano with OSX

Wow! Thanks for this tutorial. I hate doing Linux stuff on my own, and I especially hate trying to figure out what things to do.

Thanks a million for the above article. I am having one issue though...

I'm using Putty to ssh to my slice as my machine runs on windows. I followed the article except for

1. the generation of the private public keys.. (I used this article for that bit... http://articles.slicehost.com/2009/2/4/ssh-puttygen) - as a result I left out SSH KeyGen
2. I also left out the SSH Copy sections

I continued to follow this articles instructions from SSH Permissions where permissions get set.

Anyhow my issue is that logging on as Root works perfectly... however I get the 'Server refused our key' when attempting to logon as the new admin user set up at the very start. Anyone any ideas where i might be going wrong please?

Thanks

For those asking for how to allow mysql connection from another slice-- add a rule like this after the HTTP/HTTPS rules:

-A INPUT -p tcp --dport 3306 -j ACCEPT -i eth1

You can restrict further using the source's IP with the -s flag I think.

Note that you should set the ssh port number to something between 49152 and 65535. (see http://www.iana.org/assignments/port-numbers for details). I was having problems with the "iptables-restore" command, getting an "invalid port/service specified" error, because I inadvertently used a number higher than 65535.

Remember to restart the SSH daemon :

sudo /etc/init.d/ssh restart

after you’ve finished changing your SSH settings and have save your changes to the sshd_config file.

Failing to do so got me locked out in my first attempt and I had to rebuild my slice.

thanks for the effort worked first time. thumbs up to slicehost so far :)