메인 콘텐츠로 건너뛰기
블로그 Linode (주) 리시 SSH 게이트웨이

리시 SSH 게이트웨이

호스트나 데이터 센터에 관계없이 모든 리노드에 대한 Lish에 액세스할 수 있는 단일 장소를 도입하여 Lish를 간소화하는 새로운 Lish SSH 게이트웨이를 출시하고 있습니다. 그것은 리노드 리시 암호 및 SSH 키당 필요성을 제거합니다. 대신 Lish 게이트웨이는 기존 Linode Manager 자격 증명을 인증에 사용합니다. 또한 Linode Manager의 내 프로필 섹션에서 새로운 "Lish SSH 키" 필드를 확인할 수 있으며, SSH 공개 키를 제출하여 이러한 새로운 리시 게이트웨이 상자에 인증할 수 있습니다.

약간의 배경을 제공하기 위해 리쉬는 리노드 쉘입니다. 재부팅 및 종료 작업을 실행하고, Linode 상태를 확인하고, 가장 중요한 것은 실행 중인 Linode의 콘솔에 액세스하고 상호 작용할 수 있는 기능을 제공합니다. Lish는 밴드 외 콘솔로, Linode의 네트워킹이 비활성화된 경우에도 액세스할 수 있습니다.

이전에는 각 Linode에 자체 Lish SSH 사용자 이름, 암호 및 SSH 키가 필요했습니다. 리쉬에 대한 액세스는 Linode의 호스트 기계에 직접 SSH 연결을 통해했다. 앞으로 몇 주 동안 공용 인터넷에서 호스트 액세스를 완전히 제거할 것이며 이전 Lish 액세스 방법이 더 이상 작동하지 않습니다.

2013년 5월 10일 금요일 오후 1:00EDT에서 리시비아 SSH가 호스트로 활동하지 않습니다.  따라서 새 Lish 게이트웨이를 활용하려면 스크립트 나 별칭을 조정하십시오.

새 리시 게이트웨이에 로그인하면 아래와 같이 Linodes 및 해당 위치 목록이 표시됩니다.

$ ssh caker@lish-newark.linode.com
이 데이터 센터에 있는 Linodes:
linode2345 뉴어크, 뉴저지
linode3456 뉴어크, 뉴저지
linode4567 뉴어크, 뉴저지

다른 데이터 센터에 위치한 Linodes:
샌드박스 댈러스, TX
linode5678 달라스, TX
[caker@lish-newark.linode.com] #

그런 다음 명령 프롬프트에서 리쉬 연결을 만들려는 Linode의 이름을 입력할 수 있습니다. 위에 표시된 예제에서는 "linode2345"를 입력하여 linode2345용 Lish 콘솔에 액세스할 수 있습니다. 특정 리노드에 도착하면, 리쉬는 언제나 처럼 작동합니다. linode2345의 Lish를 종료하면 게이트웨이 메뉴로 돌아갑니다.

메뉴를 모두 함께 우회하기 위해 다음과 같은 트릭을 할 수도 있습니다.

$ ssh -t caker@lish-newark.linode.com linode2345

그리고 이처럼 Linode의 리쉬에 직접 명령을 보낼 수 있습니다.

$ ssh -t caker@lish-newark.linode.com linode2345 로그 뷰

6개의 데이터 센터에 Lish 게이트웨이를 설정했습니다. 모든 게이트웨이를 사용하여 Linode에 도착할 수 있지만 지리적으로 가장 가까운 게이트웨이 또는 Linodes를 사용하는 것이 좋습니다. 다음은 Lish 게이트웨이 상자입니다.

  • lish-tokyo.linode.com
  • lish-fremont.linode.com
  • lish-dallas.linode.com
  • lish-atlanta.linode.com
  • lish-newark.linode.com
  • lish-london.linode.com

Lish 게이트웨이 박스는 IPv4 및 IPv6을 통해 액세스할 수 있습니다. Linode의 리쉬에 연결하는 Ajax 방법은 이러한 변경사항의 영향을 받지 않습니다.

즐길!
-Chris


댓글(33)

  1. Author Photo
    Artem Russakovskii

    Absolutely fantastic. Just cleaned out all the old LiSH connections and added the single one that works like a charm.

    One question though: once you’re inside a specific host, can you back out to the main list?

  2. Christopher Aker

    Yes. Control-a then d like normal to get you out of the console and back to the Lish prompt for that Linode. Then if you exit there, you will end up back at the gateway’s menu.

  3. Author Photo

    Is this update related to the recent security breach?

    Ideally for me, there’d be a way to have credentials to access LISH and credentials to access the dashboard being different.

  4. Author Photo

    Excellent! Time to get updated on everything, though I have a question:

    What is the RSA fingerprint(s) for the new consoles? All I can find in my Profile or Linode Remote Access settings are the old per-Linode lish fingerprints.

    Thanks!

  5. Author Photo

    I like this. One thought: ‘logout’ and/or ‘exit’ would be handy as valid commands at the LISH gateway, as they are on the LISH host.

  6. Author Photo

    It looks like you’ve taken away the option to connect to lish via ports 443 and 2200.
    443 was especially useful when behind some firewalls, please can you re-instate access on those ports?

  7. Author Photo

    It would be nice if the SSH fingerprints for the gateway servers were published somewhere, like is currently done for the host machine fingerprints.

  8. Author Photo
    Raffaele Tripodo

    I’ve just changed every password, regenerated API key and copied my ssh key from the deprecated “Lish via SSH Keys” box to the appropriate box into my profile.
    Everything work well, but the new lish console return an error if I try to connect directly to my node.
    I mean if I proceed step by step everything work well:

    1) ssh lishserveraddress
    2) type the name of the node
    3) login prompt of my node, OK!

    but I get an error message If I try the “short” version adding the name of the host to the command:

    – ssh lish-london.linode.com NAMEOFMYNODE

    Error:
    Linode Shell (lish) Console starting…
    [linode1234567890@london123456 lish] Must be connected to a terminal.
    Your Linode isn’t running, or another console session is already active.
    /bin/stty: standard input: Inappropriate ioctl for device
    [linode30368@london522 lish]# /bin/stty: standard input: Inappropriate ioctl for device
    /bin/stty: standard input: Inappropriate ioctl for device

    Curiously if I add a command (ex. kill, or shutdown) it works well:

    1) ssh lish-london.linode.com NAMEOFMYNODE kill
    2) OK, it works…

    Do I have to set anything else to have it working?
    For me it’s not a problem because I can reach the login prompt of my node (my main need), but just to understand if I have done something wrong or incomplete, or if there is a persistent problem in the new lish console system.

    Thank you

  9. Author Photo

    Raffaele Tripodo: Use the -t option:

    ssh -t lish-london.linode.com NAMEOFMYNODE

    Otherwise, ssh won’t allocate a tty.

  10. Author Photo

    Any chance to bring back the use of a private key? I used a private key to secure up Lish access because it allowed an alternate way that wasn’t secured the same as my SSH connections and I had the old Lish use private keys for authentication.

  11. Christopher Aker

    Robert you can supply any key you want for Lish on your My Profile page – it doesn’t need to be the same identity as your other ssh sessions.

  12. Author Photo

    Will there eventually be a permission in the manager to allow/disallow users from accessing the Lish console? I don’t necessarily want our billing users accounts having the ability to reboot servers.

  13. Author Photo

    How do I create a simple ssh_config entry? I’ve got RequestTty but can’t figure out how to send ‘linode54321’ without having to specify it on the command line.

  14. Author Photo

    Do the gateways also listen on port 443? So far I have been unable to connect on that port, but it works fine if I connect to the Lish on my host.

  15. Author Photo
    Raffaele Tripodo

    @Ryan Tucker

    It works great! Thank you.

  16. Author Photo

    Please allow us to connect on port 443! This was a great feature.

  17. Author Photo

    @caker —
    The public key authentication method only appears to work for the depreciated method. On the depreciated method I get this:
    Using username “linode180478”.
    Authenticating with public key “rsa-key-20120901”
    Passphrase for key “rsa-key-20120901”:

    However on the new method I only get this:
    Using username “shinji”.
    Server refused our key
    shinji@lish-newark.linode.com‘s password:

    I use PuTTY for connecting to Lish via SSH.

  18. Christopher Aker

    Robert: I think this is what you’re hitting: A gateway caches used credentials for a few minutes. So newly deployed keys won’t work for a few minutes until the cache expires. It’s a gotcha and we’re thinking about how to make it better. Give it a shot on a different gateway, or wait 10 minutes.

  19. Christopher Aker

    Not listening on 443 is a gotcha as well. We are also working on that, too. Thanks for the suggestions!

  20. Author Photo

    It looks like the new method of connecting to lish uses different host keys than the old one. The “Deprecated Lish methods” section lists different host keys than I’m seeing for the new “Lish via SSH” method. The new method should also list the host key fingerprints, or they should be listed somewhere and linked from the new section on the “Remote access” page.

    -Mike

  21. Author Photo
    Ben Stoutenburgh

    @esm, there are no options that can be put in ~/.ssh/config to execute remote commands (at least none that I can find and stackexchance threads saying the same).

    You can create bash aliases though to get the simplification you are looking for. alias somecmd=’ssh -t user@lish-newawk.linode.com linode54321′

    Stick that in your .bashrc or wherever you like aliases

  22. Author Photo

    Hello. Will the permissions be adjusted for sub accounts, so it is possible to manage who have access to what Linodes via lish?

  23. Christopher Aker

    Kristoffer – Like everything else in our system, the Lish gateways use the grants system as defined in the Linode Manager. If a user has the ‘Access’ grant on a Linode, that will include access to that Linode’s Lish via the gateway. No ‘access’ grant on a particular Linode means the user won’t have lish access to that Linode, and it won’t show up in the list.

  24. Author Photo

    caker: To securely login via SSH, we need you to publish the fingerprints. For each of these hosts
    lish-tokyo.linode.com
    lish-fremont.linode.com
    lish-dallas.linode.com
    lish-atlanta.linode.com
    lish-newark.linode.com
    lish-london.linode.com

    Please run the following command
    ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub; ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub; ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub

    and post the results here and in the Linode Manager.

    These are the fingerprint Denham Crafton, Courtney Bane, Mike Doherty and also asking for.

  25. Christopher Aker

    Hey Alex – understood – we’ll be adding them shortly along with the other fixes mentioned above. Hang tight!

  26. Author Photo

    @caker at first I wasn’t putting the pub key in the right spot. I figured it out when I re-read the post and it said to put it in “My Profile” XD

    Working now. Thanks!

  27. Christopher Aker

    Lish gateway ssh fingerprints are now linked from the Remote Access subtab, and are listed on the Lish library article.

  28. Author Photo

    Nice, though rest of the Library article needs a major update.
    And if I may ask a stupid question…
    “””
    Unrecognized command.
    You may use ‘list’ to list Linodes or specify a Linode label to connect.
    “””
    Is there a precaution against an unfortunate user labelling his Linode “list”? 🙂

  29. Christopher Aker

    Wojciech – the doc is being reworked – should be updated very soon. A Linode with a label of ‘list’ will preempt the list.

  30. Christopher Aker

    The Lish guide has been updated.

  31. Author Photo

    “Lish is useful both for issuing commands like reboot and shutdown to your Linode, and accessing statistics. Statistics include a list of pending jobs (e.g. jobs) and reports on your current Input/Output Status (io_status).”

    io_status isn’t included in LISH integrated help, but it exists as a command, seemingly a no-op…

    Teaser? 🙂

  32. Author Photo

    Ben,

    Had the same issue with no remote command support in ssh_config so I requested it: https://bugzilla.mindrot.org/show_bug.cgi?id=2103

    Caker, great work and thanks for updating the Lish guide.

    This mass ssh access scenario is a good case for using SSHFP DNS entries ( rfc4255 / rfc6594 ) for the fingerprints (and a ssh_config containing the following for users:
    host lish-*.linode.com
    VerifyHostKeyDNS ask
    )

  33. Author Photo

    I successfully log in to ssh after mentioning my Linode but its asking local host login again.

    If anyone can guide me?

댓글 남기기

이메일 주소는 게시되지 않습니다. 필수 필드가 표시됩니다 *