Lish SSH Gateway

We’re rolling out a new Lish SSH gateway that simplifies Lish by introducing a single place to access Lish for all of your Linodes, regardless of their host or datacenter. It eliminates the need for per-Linode Lish passwords and SSH keys. Instead, the Lish gateway uses your existing Linode Manager credentials for authentication. You will also notice a new “Lish SSH Keys” field in the My Profile section of the Linode Manager, where you can submit SSH public keys to authenticate yourself to these new Lish gateway boxes.

To provide a little background, Lish is the Linode Shell. It provides you with the ability to issue reboot and shutdown jobs, check the status of your Linode, and most importantly, access and interact with the console of your running Linode. Lish is an out-of-band console, which means you can access it even when your Linode’s networking is disabled.

Previously, each Linode required its own Lish SSH username, password, and SSH keys. Access to Lish was via a direct SSH connection to your Linode’s host machine. In the coming weeks, we will be completely removing host access from the public Internet, and as such the old Lish access methods will no longer function.

Lish-via-SSH into hosts will cease to function on Friday, May 10, 2013 1:00PM EDT.  As such, please adjust any scripts or aliases to utilize the new Lish gateway.

When you log in to the new Lish gateway, you’ll see a list of your Linodes and their locations, as shown below:

$ ssh [email protected]
Linodes located in this data center:
linode2345           Newark, NJ
linode3456           Newark, NJ
linode4567           Newark, NJ

Linodes located in other data centers:
sandbox              Dallas, TX
linode5678           Dallas, TX
[[email protected]]#

Then, at the command prompt, you can enter the name of the Linode to which you want to make your Lish connection. In the example shown above, you could enter “linode2345” to access the Lish console for linode2345. Once you’re on a specific Linode, Lish will work like it always has. When you exit linode2345’s Lish, you’ll be taken back to the gateway menu.

You can also do tricks like this to bypass the menu all together:

$ ssh -t [email protected] linode2345

And like this to send commands directly to a Linode’s Lish:

$ ssh -t [email protected] linode2345 logview

We’ve set up Lish gateways in all six data centers. You can use any gateway to get to any Linode, but we recommend using the one geographically closest to you or your Linodes. Here are the Lish gateway boxes:

  • lish-tokyo.linode.com
  • lish-fremont.linode.com
  • lish-dallas.linode.com
  • lish-atlanta.linode.com
  • lish-newark.linode.com
  • lish-london.linode.com

The Lish gateway boxes are accessible via both IPv4 and IPv6. The Ajax method of connecting to your Linode’s Lish is unaffected by these changes.

Enjoy!
-Chris

Comments (33)

  1. Artem Russakovskii

    Absolutely fantastic. Just cleaned out all the old LiSH connections and added the single one that works like a charm.

    One question though: once you’re inside a specific host, can you back out to the main list?

  2. caker

    Yes. Control-a then d like normal to get you out of the console and back to the Lish prompt for that Linode. Then if you exit there, you will end up back at the gateway’s menu.

  3. yordle

    Is this update related to the recent security breach?

    Ideally for me, there’d be a way to have credentials to access LISH and credentials to access the dashboard being different.

  4. Denham Crafton

    Excellent! Time to get updated on everything, though I have a question:

    What is the RSA fingerprint(s) for the new consoles? All I can find in my Profile or Linode Remote Access settings are the old per-Linode lish fingerprints.

    Thanks!

  5. Abraham Vegh

    I like this. One thought: ‘logout’ and/or ‘exit’ would be handy as valid commands at the LISH gateway, as they are on the LISH host.

  6. Rowan

    It looks like you’ve taken away the option to connect to lish via ports 443 and 2200.
    443 was especially useful when behind some firewalls, please can you re-instate access on those ports?

  7. Courtney Bane

    It would be nice if the SSH fingerprints for the gateway servers were published somewhere, like is currently done for the host machine fingerprints.

  8. Raffaele Tripodo

    I’ve just changed every password, regenerated API key and copied my ssh key from the deprecated “Lish via SSH Keys” box to the appropriate box into my profile.
    Everything work well, but the new lish console return an error if I try to connect directly to my node.
    I mean if I proceed step by step everything work well:

    1) ssh lishserveraddress
    2) type the name of the node
    3) login prompt of my node, OK!

    but I get an error message If I try the “short” version adding the name of the host to the command:

    – ssh lish-london.linode.com NAMEOFMYNODE

    Error:
    Linode Shell (lish) Console starting…
    [[email protected] lish] Must be connected to a terminal.
    Your Linode isn’t running, or another console session is already active.
    /bin/stty: standard input: Inappropriate ioctl for device
    [[email protected] lish]# /bin/stty: standard input: Inappropriate ioctl for device
    /bin/stty: standard input: Inappropriate ioctl for device

    Curiously if I add a command (ex. kill, or shutdown) it works well:

    1) ssh lish-london.linode.com NAMEOFMYNODE kill
    2) OK, it works…

    Do I have to set anything else to have it working?
    For me it’s not a problem because I can reach the login prompt of my node (my main need), but just to understand if I have done something wrong or incomplete, or if there is a persistent problem in the new lish console system.

    Thank you

  9. Ryan Tucker

    Raffaele Tripodo: Use the -t option:

    ssh -t lish-london.linode.com NAMEOFMYNODE

    Otherwise, ssh won’t allocate a tty.

  10. Robert

    Any chance to bring back the use of a private key? I used a private key to secure up Lish access because it allowed an alternate way that wasn’t secured the same as my SSH connections and I had the old Lish use private keys for authentication.

  11. caker

    Robert you can supply any key you want for Lish on your My Profile page – it doesn’t need to be the same identity as your other ssh sessions.

  12. Jesse

    Will there eventually be a permission in the manager to allow/disallow users from accessing the Lish console? I don’t necessarily want our billing users accounts having the ability to reboot servers.

  13. esm

    How do I create a simple ssh_config entry? I’ve got RequestTty but can’t figure out how to send ‘linode54321’ without having to specify it on the command line.

  14. Matt

    Do the gateways also listen on port 443? So far I have been unable to connect on that port, but it works fine if I connect to the Lish on my host.

  15. Raffaele Tripodo

    @Ryan Tucker

    It works great! Thank you.

  16. Peter

    Please allow us to connect on port 443! This was a great feature.

  17. Robert

    @caker —
    The public key authentication method only appears to work for the depreciated method. On the depreciated method I get this:
    Using username “linode180478”.
    Authenticating with public key “rsa-key-20120901”
    Passphrase for key “rsa-key-20120901”:

    However on the new method I only get this:
    Using username “shinji”.
    Server refused our key
    [email protected]‘s password:

    I use PuTTY for connecting to Lish via SSH.

  18. caker

    Robert: I think this is what you’re hitting: A gateway caches used credentials for a few minutes. So newly deployed keys won’t work for a few minutes until the cache expires. It’s a gotcha and we’re thinking about how to make it better. Give it a shot on a different gateway, or wait 10 minutes.

  19. caker

    Not listening on 443 is a gotcha as well. We are also working on that, too. Thanks for the suggestions!

  20. Mike Doherty

    It looks like the new method of connecting to lish uses different host keys than the old one. The “Deprecated Lish methods” section lists different host keys than I’m seeing for the new “Lish via SSH” method. The new method should also list the host key fingerprints, or they should be listed somewhere and linked from the new section on the “Remote access” page.

    -Mike

  21. Ben Stoutenburgh

    @esm, there are no options that can be put in ~/.ssh/config to execute remote commands (at least none that I can find and stackexchance threads saying the same).

    You can create bash aliases though to get the simplification you are looking for. alias somecmd=’ssh -t [email protected] linode54321′

    Stick that in your .bashrc or wherever you like aliases

  22. Kristoffer

    Hello. Will the permissions be adjusted for sub accounts, so it is possible to manage who have access to what Linodes via lish?

  23. caker

    Kristoffer – Like everything else in our system, the Lish gateways use the grants system as defined in the Linode Manager. If a user has the ‘Access’ grant on a Linode, that will include access to that Linode’s Lish via the gateway. No ‘access’ grant on a particular Linode means the user won’t have lish access to that Linode, and it won’t show up in the list.

  24. Alex

    caker: To securely login via SSH, we need you to publish the fingerprints. For each of these hosts
    lish-tokyo.linode.com
    lish-fremont.linode.com
    lish-dallas.linode.com
    lish-atlanta.linode.com
    lish-newark.linode.com
    lish-london.linode.com

    Please run the following command
    ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub; ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub; ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub

    and post the results here and in the Linode Manager.

    These are the fingerprint Denham Crafton, Courtney Bane, Mike Doherty and also asking for.

  25. caker

    Hey Alex – understood – we’ll be adding them shortly along with the other fixes mentioned above. Hang tight!

  26. Robert

    @caker at first I wasn’t putting the pub key in the right spot. I figured it out when I re-read the post and it said to put it in “My Profile” XD

    Working now. Thanks!

  27. caker

    Lish gateway ssh fingerprints are now linked from the Remote Access subtab, and are listed on the Lish library article.

  28. Wojciech

    Nice, though rest of the Library article needs a major update.
    And if I may ask a stupid question…
    “””
    Unrecognized command.
    You may use ‘list’ to list Linodes or specify a Linode label to connect.
    “””
    Is there a precaution against an unfortunate user labelling his Linode “list”? 🙂

  29. caker

    Wojciech – the doc is being reworked – should be updated very soon. A Linode with a label of ‘list’ will preempt the list.

  30. caker

    The Lish guide has been updated.

  31. Wojciech

    “Lish is useful both for issuing commands like reboot and shutdown to your Linode, and accessing statistics. Statistics include a list of pending jobs (e.g. jobs) and reports on your current Input/Output Status (io_status).”

    io_status isn’t included in LISH integrated help, but it exists as a command, seemingly a no-op…

    Teaser? 🙂

  32. Daniel Black

    Ben,

    Had the same issue with no remote command support in ssh_config so I requested it: https://bugzilla.mindrot.org/show_bug.cgi?id=2103

    Caker, great work and thanks for updating the Lish guide.

    This mass ssh access scenario is a good case for using SSHFP DNS entries ( rfc4255 / rfc6594 ) for the fingerprints (and a ssh_config containing the following for users:
    host lish-*.linode.com
    VerifyHostKeyDNS ask
    )

  33. pankaj

    I successfully log in to ssh after mentioning my Linode but its asking local host login again.

    If anyone can guide me?

Leave a Reply

Your email address will not be published. Required fields are marked *