Differences between revisions 10 and 11
Revision 10 as of 2010-04-22 10:58:28
Size: 2502
Editor: zobel
Comment:
Revision 11 as of 2010-04-22 11:05:07
Size: 2691
Editor: zobel
Comment:
Deletions are marked like this. Additions are marked like this.
Line 11: Line 11:
The machine people.debian.org (currently ravel.debian.org) runs a SSH server on port 443 (usually the "https" port). If your firewall gives you access to this port (or if a proxy does it for you), then you can connect to your account. If you plan to use this access to connect to other Debian hosts, please don't run an ssh-agent on gluck and don't put your private SSH keys over there. Instead you're strongly advised to customize your ~/.ssh/config file and create special entries to connect to other Debian machines. The machine people.debian.org (currently ravel.debian.org) runs a SSH server on port 443 (usually the "https" port). If your firewall gives you access to this port (or if a proxy does it for you), then you can connect to your account. If you plan to use this access to connect to other Debian hosts, please don't run an ssh-agent on ravel and don't put your private SSH keys over there. Instead you're strongly advised to customize your ~/.ssh/config file and create special entries to connect to other Debian machines.
Line 15: Line 15:
With the sample config below, you can do "ssh master.overgluck" to connect to master.debian.org via gluck's SSH server running on port 443. With the sample config below, you can do "ssh master.overravel" to connect to master.debian.org via ravel's SSH server running on port 443.
Line 18: Line 18:
Host gluck.debian.org people.debian.org gluck Host ravel.debian.org people.debian.org ravel
Line 25: Line 25:
Host *.overgluck Host *.overravel
Line 28: Line 28:
    ProxyCommand ssh -q -a -x gluck.debian.org 'nc -q2 -w1 $(basename %h .overgluck) 22'     ProxyCommand ssh -q -a -x ravel.debian.org 'nc -q2 -w1 $(basename %h .overravel) 22'
Line 33: Line 33:
Note: Make sure that no netcat (nc) processes will be left on gluck. The '-q2' parameter should avoid this but having a close look that everything works as expected keeps gluck admins happy. Note: Make sure that no netcat (nc) processes will be left on ravel. The '-q2' parameter should avoid this but having a close look that everything works as expected keeps ravel admins happy.
Line 40: Line 40:
Host gluck.debian.org people.debian.org gluck
    ProxyCommand connect-proxy -H <proxy>:<port> gluck.debian.org 443		 Host ravel.debian.org people.debian.org ravel
    ProxyCommand connect-proxy -H <proxy>:<port> ravel.debian.org 443
Line 45: Line 45:
Host *.overgluck
    ProxyCommand ssh -q -a -x gluck.debian.org 'nc -w1 $(basename %h .overgluck) 22'		 Host *.overravel
    ProxyCommand ssh -q -a -x ravel.debian.org 'nc -w1 $(basename %h .overravel) 22'
Line 55: Line 55:
Just randomize your password using the [[http://db.debian.org/password.html|lost password procedure]] and
throw away the email that you get.		 There is no need to disable password-based access, as password based access was disabled as announced in [[http://lists.debian.org/debian-devel-announce/2009/07/msg00000.html|this D-D-A]].
Just randomize your password using the [[http://db.debian.org/password.html|lost password procedure]] and throw away the email that you get.

Contents

  1. Resources for Debian developers
    1. How can I protect my @debian.org address from spam ?
    2. Is there a way to connect to Debian servers if the SSH port is firewalled?
      1. Direct access to external machines via port 443 allowed
      2. Direct access forbidden, going through a proxy
    3. How do I disable password-based SSH access?

Resources for Debian developers

How can I protect my @debian.org address from spam ?

Please read http://lists.debian.org/debian-devel-announce/2006/12/msg00010.html and http://lists.debian.org/debian-devel-announce/2006/12/msg00011.html

Is there a way to connect to Debian servers if the SSH port is firewalled?

The machine people.debian.org (currently ravel.debian.org) runs a SSH server on port 443 (usually the "https" port). If your firewall gives you access to this port (or if a proxy does it for you), then you can connect to your account. If you plan to use this access to connect to other Debian hosts, please don't run an ssh-agent on ravel and don't put your private SSH keys over there. Instead you're strongly advised to customize your ~/.ssh/config file and create special entries to connect to other Debian machines.

Direct access to external machines via port 443 allowed

With the sample config below, you can do "ssh master.overravel" to connect to master.debian.org via ravel's SSH server running on port 443. 

Host ravel.debian.org people.debian.org ravel
    Port 443
    ForwardAgent no
    ForwardX11 no
    User <your_debian_login>
    IdentityFile <path to your private SSH key>

Host *.overravel
    User <your_debian_login>
    IdentityFile <path to your private SSH key>
    ProxyCommand ssh -q -a -x ravel.debian.org 'nc -q2 -w1 $(basename %h .overravel) 22'
    ForwardAgent no
    ForwardX11 no

Note: Make sure that no netcat (nc) processes will be left on ravel. The '-q2' parameter should avoid this but having a close look that everything works as expected keeps ravel admins happy.

Direct access forbidden, going through a proxy

If you have to go through an https proxy, you can install the connect-proxy package and use something like this in your ~/.ssh/config: 

Host ravel.debian.org people.debian.org ravel
    ProxyCommand connect-proxy -H <proxy>:<port> ravel.debian.org 443
    ForwardAgent no
    ForwardX11 no

Host *.overravel
    ProxyCommand ssh -q -a -x ravel.debian.org 'nc -w1 $(basename %h .overravel) 22'
    ForwardAgent no
    ForwardX11 no

(Reference: RT ticket #69)

How do I disable password-based SSH access?

There is no need to disable password-based access, as password based access was disabled as announced in this D-D-A. Just randomize your password using the lost password procedure and throw away the email that you get.