Dogfish

So following discussions it has been agreed to get a VPS.

I've volunteered to semi-administrate it's existence.

We have ordered the lowest spec of VPS from bitfolk.com

Robert L & I have root access due to our ssh keys being installed on the
root account.

I've changed the root password to something very long and put it in a
safe place.

I think the idea is that everyone will be able to have an account on it
though the actual list of people who will have sudo rights is currently
a bit unclear.

Anyway, the machine has been named dogfish and it will be found at
dogfish.dfey.org

When it's clear who will have sudo/root access, they will be contactable
on [hidden email]

I suggest that we strongly encourage use of ssh public key
authentication to log into the machine due to the number of compromises
that occur due to weak passwords.

Tim

On 18/07/2009, Tim Dobson <[hidden email]> wrote:
> Robert L & I have root access due to our ssh keys being installed on the
> root account.

Okay then!

> I think the idea is that everyone will be able to have an account on it
> though the actual list of people who will have sudo rights is currently
> a bit unclear.

What would the account be able to be used for?
>
> Anyway, the machine has been named dogfish and it will be found at
> dogfish.dfey.org

Nice name!

>
> I suggest that we strongly encourage use of ssh public key
> authentication to log into the machine due to the number of compromises
> that occur due to weak passwords.

SSH public key authentication?  What is that?

--
Regards,
Isabell Long.  <[hidden email]>
[[User:Isabell121]] on all public Wikimedia projects.

Tim Dobson wrote:
> I think the idea is that everyone will be able to have an account on it
> though the actual list of people who will have sudo rights is currently
> a bit unclear.

I suggest adding the following shell programs:

mc nano vim emacs irssi bitchx finch screen mutt talk talkd

What do people think? Agree/Disagree?

Can you think of other stuff like that that might be worth installing?

Tim

vim emacs nano

irssi bitchx

Seems redundant to me but I don't really mind :)

--
Richard Thompson

On 18/07/2009, Tim Dobson <[hidden email]> wrote:
Definitely agree with those choices.  :)

--
Regards,
Isabell Long.  <[hidden email]>
[[User:Isabell121]] on all public Wikimedia projects.

Isabell Long wrote:
> On 18/07/2009, Tim Dobson <[hidden email]> wrote:
>> I suggest that we strongly encourage use of ssh public key
>> authentication to log into the machine due to the number of compromises
>> that occur due to weak passwords.
>
> SSH public key authentication?  What is that?

Sorry to get really verbose;
I've just copied and pasted and modified a little, a howto I use at work,

Cheers

Tim

If you are unfamiliar with SSH public key authentication, I’m happy to
support you learning it – its easier and more secure than passwords! :-)

You need to generate a SSH key for yourself. Using OpenSSH on GNU/Linux
or Mac OS X:

0. In the unlikely event you don’t have OpenSSH installed, install it
1. Run “ssh-keygen -t dsa”
2. Accept the default file and enter a passphrase
3. Print the public key data and copy and paste it into your reply to
this email

For example:

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_dsa):
Created directory ’/home/username/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_dsa.
Your public key has been saved in /home/username/.ssh/id_dsa.pub.
The key fingerprint is:
f3:31:a8:c6:82:18:c8:0f:dd:6b:fb:27:98:83:3d:3b username@hostname
$ cat .ssh/id_dsa.pub
ssh-dss
AAAAB3NzaC1kc3MAAACBANDe4j3VF6p3T1O25wjphQhkJposn65npbTkmR4I3PJBjq9ybNpFyPUTT+LOkCLV02QqKceAVZiwo14WCCdFv1Wm+PMo6RW0uJa+pXA69gdS7ck6lJRLnfoHH2L49WTdynhmrMzQq2i2aqiNyvnRDWsTtvcyD+PV1rEhi7K5T2iZAAAAFQCJSZ++/fxxiheBBDvGVSifoJvsHwAAAIEApAkKYLZkiXrWr3qeWU3j8d8XvzJf/NP4nyqahc63S6EAfc90T6n4casdha78hsd9a7hsd7ahsdpJwltK2agrMAe5gQ4kAVR1UN7qynDj+iUAzUZsTFYZlyGLsTTrZ6pFuLRAj/c8/dwXUSaIGEhsXFelb/SjAPtDQyR6V80AAACARfLnjV8YgTzMXtBSeslc6LAzx2ZRwZXW91S/ohhi7+xkXg/Y/u+7NDBuHVo8E9b4rn2QnqfCacG8KpZ6sJgUgZZYzpgE+tW6ddtVo7MG35E1Y4P/AhJDBhltnkAE9xaEI3mQsKvxVE2ZqHlVapTT/ESAbhJFDWfMC4DJ6zlRHdA=
username@hostname
$

To generate a SSH key using PuTTY on Windows:

0. Download and install the PuTTY suite of OpenSSH tools from
http://www.chiark.greenend.org.uk/sgtatham/putty/download.html
1. Run “PUTTYGEN.EXE”
2. Select “SSH2 DSA” in the “Parameters” section
3. Click “Generate”
4. Move the mouse over the blank area of the program until puttygen has
enough entropy
5. Click “Save private key” button and save the private key as
“DfeyDogfish.ppk”
6. Copy the “Public key for pasting into OpenSSH authorized_keys2 file”
data email it to [hidden email]

When I have your public key, I’ll copy it to the your user’s
/.ssh/authorized_keys on your machine, and you’ll then be able to log in
over ssh as root from any Unix machine with your private key in
/.ssh/id_dsa or on a Windows machine with a PuTTY ‘saved session’
configured to use the Private Key that you saved.

If you’re curious about all this, the PuTTY documentation at
http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter8.html is
excellent, as is the http://www.openssh.org/ site.

Also I recommend using OpenSSH for file transfer as well as remote
login, instead of insecure legacy protocols like FTP.

Richard Thompson wrote:
We could just have emacs and bitchx? ;) but if we start to discuss which
"one" text editor we should use we'll be arguing all day.

There aren't any security implications I can think of from multiple
programs or any things that may cause confusion, so I think, as disk
space isn't a massive issue, having all of them would be best...

Tim

Not sure if I get a say here, but those all sounds fine for a shell.

Blake Kelly
OpenPGP Public Key ID: FDAFFB51

Blake Kelly wrote:
> Not sure if I get a say here, but those all sounds fine for a shell.

Any feedback is welcome :)

On 18/07/2009, Tim Dobson <[hidden email]> wrote:
Thanks a lot.  One question:  Should I create the key now on Windows,
or wait until I get Linux on my desktop again once in England?  That
is my choice, but what I mean is if I create the key now, will I be
able to use the same one on a different machine running Linux if I
create it in Windows on my laptop, or will I have to create another
one and confuse the issue?

--
Regards,
Isabell Long.  <[hidden email]>
[[User:Isabell121]] on all public Wikimedia projects.

On 18 Jul 2009, at 14:37, Tim Dobson <[hidden email]> wrote:

> I suggest adding the following shell programs:
>
> mc nano vim emacs irssi bitchx finch screen mutt talk talkd

Does anyone actually use bitchx? I was under the impression we all use  
irssi or xchat. Anyway, I'm happy with nano, irssi, and bash.  
Everything else is pretty irrelevant.

cls

On 2009-07-18, Isabell Long wrote:
> Thanks a lot.  One question:  Should I create the key now on Windows,
> or wait until I get Linux on my desktop again once in England?  That
> is my choice, but what I mean is if I create the key now, will I be
> able to use the same one on a different machine running Linux if I
> create it in Windows on my laptop, or will I have to create another
> one and confuse the issue?

PuTTY SSH keys are easily convertible to the OpenSSH format so this
should not be an issue.

Robert

On 2009-07-18, Tim Dobson wrote:
> I suggest adding the following shell programs:
>
> mc nano vim emacs irssi bitchx finch screen mutt talk talkd

These seem great, although I can't exactly see the utlitiy of
talk/talkd.

Will install the first lot now though as there seems to be a consensus.

Robert

On 18/07/2009, Robert Leverington <[hidden email]> wrote:
That's good to know, thank you.

--
Regards,
Isabell Long.  <[hidden email]>
[[User:Isabell121]] on all public Wikimedia projects.

On 2009-07-18, Robert Leverington wrote:
> On 2009-07-18, Tim Dobson wrote:
> > I suggest adding the following shell programs:
> >
> > mc nano vim emacs irssi bitchx finch screen mutt talk talkd
>
> Will install the first lot now though as there seems to be a consensus.

All installed except talk, talkd, and bitchx (the latter due to not
being in the repository).

Robert

2009/7/18 Robert Leverington <[hidden email]>
While, I'm here I wanted to see if we can push through securing ssh, as I think it would be a good idea

--
Richard Thompson

On 2009-07-18, Richard Thompson wrote:
> While, I'm here I wanted to see if we can push through securing ssh, as I
> think it would be a good idea

On IRC the general consensus was restricting login to SSH keys, most
people have SSH keys configured so this shouldn't be an issue (and it
wouldn't be hard to help the last one or two people do it).  I think
this makes sense, what does everyone else think?

Robert

Robert Leverington wrote:
> On 2009-07-18, Richard Thompson wrote:
>> While, I'm here I wanted to see if we can push through securing ssh, as I
>> think it would be a good idea
>
> On IRC the general consensus was restricting login to SSH keys, most
> people have SSH keys configured so this shouldn't be an issue (and it
> wouldn't be hard to help the last one or two people do it).  I think
> this makes sense, what does everyone else think?

Sounds like a good plan to me.

Tim

On 18/07/2009, Robert Leverington <[hidden email]> wrote:
> On 2009-07-18, Richard Thompson wrote:
>> While, I'm here I wanted to see if we can push through securing ssh, as I
>> think it would be a good idea
>
> On IRC the general consensus was restricting login to SSH keys, most
> people have SSH keys configured so this shouldn't be an issue (and it
> wouldn't be hard to help the last one or two people do it).  I think
> this makes sense, what does everyone else think?

I think restricting login to SSH keys would be fine.  :)

--
Regards,
Isabell Long.  <[hidden email]>
[[User:Isabell121]] on all public Wikimedia projects.

On 2009-07-18, Robert Leverington wrote:
> On IRC the general consensus was restricting login to SSH keys, most
> people have SSH keys configured so this shouldn't be an issue (and it
> wouldn't be hard to help the last one or two people do it).  I think
> this makes sense, what does everyone else think?

I will implement this once I've checked that everyone has SSH keys in
place.

Robert