Skip to content
Snippets Groups Projects
Verified Commit c53dbe8b authored by anarcat's avatar anarcat
Browse files

rewrite OOB management interface documentation (team#41135)

parent 57070ca2
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 53 additions and 40 deletions
howto/quintex.md
+ 53
40
View file @ c53dbe8b
......@@ -21,58 +21,71 @@ This page documents the Quintex PoP.
## Out of band access
OOB access happens over a OpenVPN tunnel. Credentials are in the
password manager (`tor-passwords.git`, `hosts-extra-info`).
OOB access happens over the `dal-rescue-01` host, a [APU](howto/apu) server
hooked up to the main switch (`dal-sw-01`) and a special OOB
management switch that interconnects all the other OOB interfaces.
1. load the VPN endpoint URL in a web browser, using `https` as a
protocol
The host can be accessed over SSH normally by TPA members. From there,
there are various ways of accessing the other hosts' management
interfaces.
2. that will give you a HTTPS warning, verify the fingerprint matches
this SHA256 hash: `9E:E8:A7:D3:CE:C9:97:4C:60:1D:94:19:60:2A:A8:05:AE:F9:02:48:21:3F:54:2B:7B:04:4F:CB:EB:84:BF:F5`
### SSH jump host
3. login using the credentials from the password manager
4. download the `Yourself (user-locked profile)` profile, say as `client.ovpn`
The simplest way to access a server is by using `dal-rescue-01` as a
jump host and connecting to the management interface over SSH. For
example, this will connect to the management interface on
`dal-node-01`:
5. modify the configuration file to drop privileges, that assumes you
already have `NetworkManager` installed:
echo user nm-openvpn >> client.ovpn &&
echo group nm-openvpn >> client.ovpn
ssh -J dal-rescue-01.torproject.org ADMIN@172.30.141.101 -o HostKeyAlgorithms=+ssh-rsa -oMACs=+hmac-sha2-256
6. optional: don't accept upstream routes, as they replace the
default route, which might break your local networking, but
statically assign the route for the OOB network:
echo route-nopull >> client.ovpn
echo route 192.168.200.0 255.255.255.0 >> client.ovpn
Note the `-o HostKeyAlgorithms=+ssh-rsa -oMACs=+hmac-sha2-256`,
required for clients running later OpenSSH versions that have those
algorithms disabled.
6. start the tunnel, as root:
sudo openvpn client.ovpn
### HTTP over SSH (port forwarding)
This step will prompt you for a user and password, use the same as
the one used to login the HTTPS site.
The SSH management interface is limited and undocumented, it's better
to connect to the web interface as this also provides a graphical
console. For this, you can use port forwarding:
Alternatively, you can use the profile downloaded in step 4 in
NetworkManager directly. Starting from step 4:
ssh -L 8043:172.30.141.101:443 dal-rescue-01.torproject.org
5. open the Network Manager connection editor (e.g. in `nm-applet`:
right click the applet, pick `Edit Connections`)
The URL to connect to the management interface, in this case, would be
<https://localhost:8043/>.
6. click the `+` ("plus") sign at the bottom left
7. as a "Connection Type", pick `Import a saved VPN configuration...`
and click `Create`
### SSH SOCKS proxy
You can also use OpenSSH's SOCKS proxy support:
ssh -D9092 dal-rescue-01.torproject.org
And point your web browser to the SOCKS proxy on `localhost:9092` to
connect to the remote host with (say) <https://172.30.141.101/>. You
can have a conditional proxy configuration in Firefox by creating a
[PAC file](https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file), [for example](https://developer.mozilla.org/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file#example_4):
```
function FindProxyForURL(url, host) {
if (isInNet(host, "172.30.141.0", "255.255.255.0")) {
return "PROXY localhost:9092";
}
return "DIRECT";
}
```
Save that file in a known location (say
`~/.mozilla/tpa-gnt-dal-proxy.pac`). That file can be fed in the
"Automatic proxy configuration URL" with by setting that field to
(say) `file:///home/anarcat/.mozilla/tpa-gnt-dal-proxy.pac`.
### sshuttle VPN
8. select the file downloaded at step 4 above
Finally, [sshuttle](https://github.com/sshuttle/sshuttle) can also act as a proxy or ad-hoc VPN in a
similar way:
9. set the `user name` field and change the `Connection name` then
click `Save`
sshuttle -r dal-rescue-01.torproject.org 172.30.141.0/24
Then you have a configured VPN that you can select in your connections
like other connections (e.g. WiFi, wired, etc). When you select the
VPN, it will prompt you, again, for the same username and password.
... but requires more privileges.
## Remote console
......@@ -265,7 +278,7 @@ the iPXE environment is like this:
* net1: public network
* not detected: extra Intel gigabit network
First, connect to the VPN to access the OOB management (see above).
First, connect to the OOB management interface (see above).
Make sure the BIOS clock is up to date.
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment