The new gitlab host is now reachable both through default ssh port 22 and the other port 4022 we were using for setup.
I had to use nft commands to add it to the inputRules chain, where apparently it had to be. Using iptables commands did not work (i guess it put on wrong chain). So I think the iptables front-end is there for the benefit of docker, and we can (and probably should) still use nft commands for doing manual admin.
Dave Cooper
---- On Thu, 26 Dec 2024 22:28:20 -0500 Jon Boone ipmonger@delamancha.org wrote ---
I seem to have been blocked due to too many failed authentication attempts. I have access to legacy ssh key (I verified I can use it to log in to the legacy host), so please re-enable my ability to ssh in and I think that will be a good place to pick up again tomorrow.
—jon
On Thu, Dec 26, 2024 at 9:33 PM David Cooper mailto:david.cooper@genworks.com wrote:
Hi Jon,
Your `jboone` account is created on http://gitlab.common-lisp.net, accessible through port 4022.
I put two public keys in your authorized_keys, the one you sent below, plus one which was in your .ssh/authorized_keys on the legacy host.
The task at hand is to switch sshd to 22, make sure that is allowed thru the firewall for ipv4 and ipv6, and most of all, not get us locked out of the machine! The firewall is nftables with a iptables frontend, and fail2ban is installed but stopped at the moment.
I'm going to be offline for an hour or two and I'll check in once before bed (i'm in eastern time zone)
Dave Cooper
---- On Thu, 26 Dec 2024 21:15:38 -0500 David Cooper mailto:david.cooper@genworks.com wrote ---
Hi Jon,
Ok, i'll make you an account on the new host with sudo. Give me a few minutes.
Dave Cooper
---- On Thu, 26 Dec 2024 21:12:40 -0500 Jon Boone mailto:ipmonger@delamancha.org wrote ---
David,
I can try to assist you if you want to continue working on this tonight or tomorrow. Here's my public key for user mailto:jboone@gitlab.common-lisp.net
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqwjwchMCU4S9OrgbkbJuZh7i6ObH31LO0poUaCd4h6
but I don't think I have an ssh login setup.
—jon
On Thu, Dec 26, 2024 at 8:25 PM David Cooper mailto:david.cooper@genworks.com wrote:
Dear Raymond (and all concerned),
I'm having trouble switching the sshd service back to port 22, and I have to give up on it for a little while.
If anyone is available to help with this let me know.
In the meantime the sshd is on port 4022 and your .ssh/config will need to be configured accordingly. Here is mind for example:
```
Host future http://future.common-lisp.net http://gitlab.common-lisp.net http://git.common-lisp.net gi\
http://tlab-future.common-lisp.net
Hostname http://gitlab.common-lisp.net
AddKeysToAgent yes
IdentityFile ~/.ssh/id_ed_github
User dcooper Port 4022 PubkeyAcceptedKeyTypes=ssh-ed25519
```
What I tried on the server:
1. Added ACCEPT rule to the firewall (nftables with iptables frontend) for port 22.
2. Edited /etc/ssh/sshd_config.d/local.conf and changed Port to 22
3. Confirmed with `sudo netstat -tulpn | grep 22` that sshd was listening on port 22
4. Updated my home .ssh/config to comment out the Port 4022
5. Tried ssh from home - did not work (timed out).
For fear of locking myself out of the server, I set it back to 4022 for now, confirmed I could log in, then rebooted the machine to make sure the firewall and fail2ban are active again.
Dave Cooper
---- On Thu, 26 Dec 2024 19:48:45 -0500 David Cooper mailto:david.cooper@genworks.com wrote ---
Hi again Raymond,
Sorry for your frustrations, and this next one is on us for sure: as a security measure, we had updated the ssh port from the standard port 22 to the arbitrary 4022. I'm changing it back to standard 22 now.
And as you have both a shell login account and Gitlab account, you probably have to add your ed25519 public key both in the .ssh/ directory and .ssh/authorized_keys file, as we ll as pasting into your Gitlab profile through the gitlab web ui (after you can access that), to enable both shell login and git push/pull. Presumably you already have your ed25519 public key pasted into gitlab, but you can confirm that as soon as you can access the website.
As an example, here is my .ssh/config for the new host:
```
Host future http://future.common-lisp.net http://gitlab.common-lisp.net http://git.common-lisp.net gi\
http://tlab-future.common-lisp.net
Hostname http://gitlab.common-lisp.net
AddKeysToAgent yes
IdentityFile ~/.ssh/id_ed_github
User dcooper
PubkeyAcceptedKeyTypes=ssh-ed25519
```
Please wait a few minutes while I change the port back to the standard 22.
Dave Cooper
---- On Thu, 26 Dec 2024 18:34:32 -0500 Raymond Toy mailto:toy.raymond@gmail.com wrote ---
On Thu, Dec 26, 2024 at 3:19 PM David Cooper mailto:david.cooper@genworks.com wrote:
Dave Cooper
---- On Thu, 26 Dec 2024 17:41:05 -0500 mailto:toy.raymond@gmail.com wrote ----
Can you ssh to http://gitlab.common-lisp.net ?
It might not accept older rsa keys, i.e.you might need to generate new stronger e.g. ed25519 keys (I'm not gonna go snooping around your .ssh directory unless I need to). If so, send me your new public key and I'll add it to your .ssh/authorized_keys on the new host.
Hmm. I can't ssh to http://gitlab.common-lisp.net.%C2%A0 I don't think I've ever tried that before. I still have my old rsa key, but I also switched to ed25519 keys quite a while ago and that's what I use for ssh now.
On Thu, Dec 26, 2024 at 12:53 PM David Cooper mailto:david.cooper@genworks.com wrote:
Note that the DNS for http://gitlab.common-lisp.net switched over to a new IP address (a new Hetzner host) Christmas eve.
What is the correct IP address? Clearing the OS and browser DNS cache didn't seem to make a difference. I can ping http://gitlab.common-lisp.net just fine:
```
64 bytes from http://future.common-lisp.net (65.108.13.229)
```
So you may need to clear your DNS caches (browsers and OS).
The toplevel http://common-lisp.net still resolves to the old host for now, so ssh'ing there will get you to the legacy host. But the plan is to move that to the new host in due course as well. I assume you'll need a shell login for the new host? The new host is reachable via http://future.common-lisp.net or http://gitlab.common-lisp.net, and i believe your shell login account has been replicated on the new host
Yes, I'd like a shell login. I still need to access it to upload cmucl release tarballs and such.
Thanks for your help. I think I should reboot my modem and wifi once again. I think that's the only way to clear the DNS cache on my wifi router connected to my cable modem.
already.
Dave Cooper
P.S. these mailing lists are still going through the legacy host.
---- On Thu, 26 Dec 2024 13:45:50 -0500 mailto:toy.raymond@gmail.com wrote ----
On Thu, Dec 26, 2024 at 8:54 AM Jon Boone mailto:ipmonger@delamancha.org wrote:
I have no problems reaching it via Safari (Version 18.2 (20620.1.16.11.8)) or Chrome (Version 131.0.6778.205 (Official Build) (arm64)) on macOS 15.2 (24C101) as of 2024-12-26 11:55 EST.
Ok, it must be me. I can't reach it on any of my computers, even after rebooting my modem and wifi point. But I can over cellular with my phone. But every other site I try works fine over my home wifi. I can even ssh into http://common-lisp.net.
Not sure what's going on. I didn't update anything or add a proxy or anything like that.
—jon
On Thu, Dec 26, 2024 at 11:26 AM Raymond Toy mailto:toy.raymond@gmail.com wrote:
On 12/25/24 12:28 PM, Georgiy Tugai wrote:
I believe that the links should be working again now.
FWIW, I can’t reachhttp://gitlab.common-lisp.net at all. Firefox says it’s unable to connect. Chrome says it can’t be reached. I think this started a couple of days ago, maybe?
Regards,
Georgiy
On 25/12/2024 21:02, Robert Goldman wrote:
I was trying to follow a link from the projects hub, https://common-lisp.net/phub for usocket, and got a 404.
I've tried clicking some other links and they all 404 also, so maybe there's some rewrite or redirect logic that's busted?
Happy Holidays, R
-
David Cooper