我们正在推出一个新的Lish SSH网关,通过引入一个单一的地方来访问你所有的Linode的Lish,不管他们的主机或数据中心,从而简化了Lish。 它消除了对每个节点Lish密码和SSH密钥的需求。相反,Lish网关使用你现有的Linode Manager凭证进行验证。你还会注意到在Linode管理器的 "我的资料 "部分有一个新的 "Lish SSH密钥 "字段,在那里你可以提交SSH公共密钥,以验证你对这些新的Lish网关盒子的身份。
为了提供一点背景,Lish是Linode Shell。它为你提供了发布重启和关机任务的能力,检查你的Linode的状态,最重要的是,访问你运行的Linode的控制台并与之互动。Lish是一个带外控制台,这意味着你可以访问它,即使你的Linode的网络被禁用。
以前,每个Linode都需要自己的Lish SSH用户名、密码和SSH密钥。对Lish的访问是通过与你的Linode主机的直接SSH连接。在未来几周内,我们将完全取消主机对公共互联网的访问,因此,旧的Lish访问方法将不再起作用。
Lish-via-SSH进入主机的功能将于2013年5月10日(星期五)下午1:00 EDT停止。 因此,请调整任何脚本或别名以利用新的利什网关。
当你登录到新的Lish网关时,你会看到你的Linodes和它们的位置列表,如下图所示。
$ ssh caker@lish-newark.linode.com 位于该数据中心的Linode。 linode2345 Newark, NJ linode3456 纽瓦克,新泽西州 linode4567 纽瓦克,新泽西州 位于其他数据中心的林节点。 沙盒 达拉斯,德克萨斯州 linode5678 达拉斯,德克萨斯州 [caker@lish-newark.linode.com]#
然后,在命令提示符下,你可以输入你想进行Lish连接的Linode的名称。在上面的例子中,你可以输入 "linode2345 "来访问linode2345的Lish控制台。一旦你在一个特定的Linode上,Lish将像以前一样工作。当你退出linode2345的Lish时,你会被带回到网关菜单。
你也可以通过这样的技巧来绕过菜单。
$ ssh -t caker@lish-newark.linode.com linode2345
而像这样直接向Linode的Lish发送命令。
$ ssh -t caker@lish-newark.linode.com linode2345 logview
我们已经在所有六个数据中心设置了利什网关。你可以使用任何网关来访问任何Linode,但我们建议使用在地理上离你或你的Linode最近的一个。这里是Lish网关的盒子。
- lish-tokyo.linode.com
- lish-fremont.linode.com
- lish-dallas.linode.com
- lish-atlanta.linode.com
- lish-newark.linode.com
- lish-london.linode.com
Lish网关盒可以通过IPv4和IPv6访问。 连接到你的Linode的Lish的Ajax方法不受这些变化的影响。
享受吧!
-冯小刚
评论 (33)
Absolutely fantastic. Just cleaned out all the old LiSH connections and added the single one that works like a charm.
One question though: once you’re inside a specific host, can you back out to the main list?
Yes. Control-a then d like normal to get you out of the console and back to the Lish prompt for that Linode. Then if you exit there, you will end up back at the gateway’s menu.
Is this update related to the recent security breach?
Ideally for me, there’d be a way to have credentials to access LISH and credentials to access the dashboard being different.
Excellent! Time to get updated on everything, though I have a question:
What is the RSA fingerprint(s) for the new consoles? All I can find in my Profile or Linode Remote Access settings are the old per-Linode lish fingerprints.
Thanks!
I like this. One thought: ‘logout’ and/or ‘exit’ would be handy as valid commands at the LISH gateway, as they are on the LISH host.
It looks like you’ve taken away the option to connect to lish via ports 443 and 2200.
443 was especially useful when behind some firewalls, please can you re-instate access on those ports?
It would be nice if the SSH fingerprints for the gateway servers were published somewhere, like is currently done for the host machine fingerprints.
I’ve just changed every password, regenerated API key and copied my ssh key from the deprecated “Lish via SSH Keys” box to the appropriate box into my profile.
Everything work well, but the new lish console return an error if I try to connect directly to my node.
I mean if I proceed step by step everything work well:
1) ssh lishserveraddress
2) type the name of the node
3) login prompt of my node, OK!
but I get an error message If I try the “short” version adding the name of the host to the command:
– ssh lish-london.linode.com NAMEOFMYNODE
Error:
Linode Shell (lish) Console starting…
[linode1234567890@london123456 lish] Must be connected to a terminal.
Your Linode isn’t running, or another console session is already active.
/bin/stty: standard input: Inappropriate ioctl for device
[linode30368@london522 lish]# /bin/stty: standard input: Inappropriate ioctl for device
/bin/stty: standard input: Inappropriate ioctl for device
Curiously if I add a command (ex. kill, or shutdown) it works well:
1) ssh lish-london.linode.com NAMEOFMYNODE kill
2) OK, it works…
Do I have to set anything else to have it working?
For me it’s not a problem because I can reach the login prompt of my node (my main need), but just to understand if I have done something wrong or incomplete, or if there is a persistent problem in the new lish console system.
Thank you
Raffaele Tripodo: Use the -t option:
ssh -t lish-london.linode.com NAMEOFMYNODE
Otherwise, ssh won’t allocate a tty.
Any chance to bring back the use of a private key? I used a private key to secure up Lish access because it allowed an alternate way that wasn’t secured the same as my SSH connections and I had the old Lish use private keys for authentication.
Robert you can supply any key you want for Lish on your My Profile page – it doesn’t need to be the same identity as your other ssh sessions.
Will there eventually be a permission in the manager to allow/disallow users from accessing the Lish console? I don’t necessarily want our billing users accounts having the ability to reboot servers.
How do I create a simple ssh_config entry? I’ve got RequestTty but can’t figure out how to send ‘linode54321’ without having to specify it on the command line.
Do the gateways also listen on port 443? So far I have been unable to connect on that port, but it works fine if I connect to the Lish on my host.
@Ryan Tucker
It works great! Thank you.
Please allow us to connect on port 443! This was a great feature.
@caker —
The public key authentication method only appears to work for the depreciated method. On the depreciated method I get this:
Using username “linode180478”.
Authenticating with public key “rsa-key-20120901”
Passphrase for key “rsa-key-20120901”:
However on the new method I only get this:
Using username “shinji”.
Server refused our key
shinji@lish-newark.linode.com‘s password:
I use PuTTY for connecting to Lish via SSH.
Robert: I think this is what you’re hitting: A gateway caches used credentials for a few minutes. So newly deployed keys won’t work for a few minutes until the cache expires. It’s a gotcha and we’re thinking about how to make it better. Give it a shot on a different gateway, or wait 10 minutes.
Not listening on 443 is a gotcha as well. We are also working on that, too. Thanks for the suggestions!
It looks like the new method of connecting to lish uses different host keys than the old one. The “Deprecated Lish methods” section lists different host keys than I’m seeing for the new “Lish via SSH” method. The new method should also list the host key fingerprints, or they should be listed somewhere and linked from the new section on the “Remote access” page.
-Mike
@esm, there are no options that can be put in ~/.ssh/config to execute remote commands (at least none that I can find and stackexchance threads saying the same).
You can create bash aliases though to get the simplification you are looking for. alias somecmd=’ssh -t user@lish-newawk.linode.com linode54321′
Stick that in your .bashrc or wherever you like aliases
Hello. Will the permissions be adjusted for sub accounts, so it is possible to manage who have access to what Linodes via lish?
Kristoffer – Like everything else in our system, the Lish gateways use the grants system as defined in the Linode Manager. If a user has the ‘Access’ grant on a Linode, that will include access to that Linode’s Lish via the gateway. No ‘access’ grant on a particular Linode means the user won’t have lish access to that Linode, and it won’t show up in the list.
caker: To securely login via SSH, we need you to publish the fingerprints. For each of these hosts
lish-tokyo.linode.com
lish-fremont.linode.com
lish-dallas.linode.com
lish-atlanta.linode.com
lish-newark.linode.com
lish-london.linode.com
Please run the following command
ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub; ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub; ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
and post the results here and in the Linode Manager.
These are the fingerprint Denham Crafton, Courtney Bane, Mike Doherty and also asking for.
Hey Alex – understood – we’ll be adding them shortly along with the other fixes mentioned above. Hang tight!
@caker at first I wasn’t putting the pub key in the right spot. I figured it out when I re-read the post and it said to put it in “My Profile” XD
Working now. Thanks!
Lish gateway ssh fingerprints are now linked from the Remote Access subtab, and are listed on the Lish library article.
Nice, though rest of the Library article needs a major update.
And if I may ask a stupid question…
“””
Unrecognized command.
You may use ‘list’ to list Linodes or specify a Linode label to connect.
“””
Is there a precaution against an unfortunate user labelling his Linode “list”? 🙂
Wojciech – the doc is being reworked – should be updated very soon. A Linode with a label of ‘list’ will preempt the list.
The Lish guide has been updated.
“Lish is useful both for issuing commands like reboot and shutdown to your Linode, and accessing statistics. Statistics include a list of pending jobs (e.g. jobs) and reports on your current Input/Output Status (io_status).”
io_status isn’t included in LISH integrated help, but it exists as a command, seemingly a no-op…
Teaser? 🙂
Ben,
Had the same issue with no remote command support in ssh_config so I requested it: https://bugzilla.mindrot.org/show_bug.cgi?id=2103
Caker, great work and thanks for updating the Lish guide.
This mass ssh access scenario is a good case for using SSHFP DNS entries ( rfc4255 / rfc6594 ) for the fingerprints (and a ssh_config containing the following for users:
host lish-*.linode.com
VerifyHostKeyDNS ask
)
I successfully log in to ssh after mentioning my Linode but its asking local host login again.
If anyone can guide me?