Network Admin

Lab Network and IT

For network or account troubleshooting, go to Troubleshooting. For more detailed documentation about the lab network architecture, see the Network Architecture page.

Table of Contents

The following sections are instructions for managing computer and network issues in the lab. They are organized roughly in descending order of how frequently the tasks are needed.

1. Adding a new user account

2. Setting up a user's VPN credentials

3. Revoking VPN keys

4. Connecting by SSH to finch

5. Generate SSH Keys

6. Adding a SSH key to a host's authorized keys

7. Set up a new workstation

8. Physically accessing the servers

• (Temporary) Upgrading a workstation from Ubuntu 16.04 to 20.04

1 Adding a new user account

New users are added by modifying the ldap entries on our ldap server finch as ubuntu (super user).

1. Connect to finch

   ssh ubuntu@finch

2. Create the user account

   Run the following command, replacing NEWUSER with the desired username.

   sudo ldapadduser NEWUSER theunissen

3. Modify the user ldap entry

   sudo ldapmodifyuser newuser
       changetype: modify
       replace: homeDirectory
       homeDirectory: /auto/zdrive/NEWUSER
   

   This sets the correct path for the user's home directory, remember to replace NEWUSER with the username set in step 2.

4. Set the user's password

   Still as ubuntu user on finch, run the command and create a new password.

   sudo ldapsetpasswd newuser

5. Make the user's directory on zdrive cd /auto/zdrive sudo mkdir USERNAME sudo chown USERNAME:theunissen USERNAME

6. Login from one of the desktops to see if it all works. You will also want to check that .bashrc file from one of the older users (e.g. /auto/fhome/fet/.bashrc) and take what you like from there and edit to make it your own.

7. If this user would like to use the compute node on condor or osprey then set up user accounts on those machines, with the same

2 Setting up a user's VPN credentials

1. Connect to finch

   ssh finch -l ubuntu

2. Go to the easy-rsa directory and run the makeuser script

   cd easy-rsa
   ./makeuser KEYNAME
   

   This generates a new private key and certificate for a new VPN user under the name KEYNAME. For convenience, KEYNAME can be the user's normal username they use to log into the lab computers, but it doesn't need to be. (In fact, you can generate multiple VPN keys for someone to use. This can be important if a key ever needs to be revoked (see below)).

   The script will first ask you for passwords for the VPN user as well as a password to encrypt the new user's private key with. The final password prompt is for you, dear reader, to unlock finch's private key with a "secure openvpn password" that is used to sign the new user's certificate.

3. Copy the keys to your local computer

   The keys are created on finch at /home/ubuntu/keys/KEYNAME_keys.tar.gz. Copy these from finch to your local computer (e.g. over ssh):

   # From your own computer
   scp ubuntu@finch:/home/ubuntu/keys/KEYNAME_keys.tar.gz .
   

4. Send the keys to the user

   The user will use these keys as well as their two passwords (VPN password and private key password) to connect to the VPN. (link to instructions).

3 Revoking VPN keys

If someone's laptop or device used to connect to the VPN is lost, stolen, or hacked, any VPN keys on that device should be revoked, and new ones generated. Lists of revoked keys appear on finch in the file ~/easy-rsa/pki/index.txt. Do not edit this file yourself unless you know what you are doing.

To revoke a key

1. Connect to finch

   ssh finch -l ubuntu

2. Go to the easy-rsa directory and run the revoke command

   cd easy-rsa
   ./easyrsa revoke KEYNAME
   

   Here, KEYNAME should correspond to the KEYNAME used above when generating the keys in the first place.

3. Verify the keys have been revoked

   Use the command cat ~/easy-rsa/pki/index.txt to verify that the key you have revoked is marked as revoked (R).

4 Connecting by SSH to finch

Finch is in charge of authentication on our lab computers and network. This is where you'll most likely want to be debugging if things are going wrong.

A SSH connection to finch requires the client's public key added to finch's authorized keys. (TODO: add a separate instructions on how to do this). Connect to finch as user ubuntu, e.g. ssh ubuntu@finch.

5 Generate SSH Keys

1. On the computer you will be connecting from (e.g. your laptop, lab workstation), create a new set of ssh keys with ssh-keygen -t ed25519 -C "[email protected]".

2. You will be prompted to enter a file to save the key. By default it will be something like ~/.ssh/id_ed25519, but you can name it something else (if you want to have multiple SSH credentials, for example).

3. When prompted, secure your SSH keys with a password.

4. This will have created a priavte key at ~/.ssh/id_ed25519 and a public key at ~/.ssh/id_ed25519.pub. The private key should never be shared or leave your computer. If the private key is exposed, anyone with it can connect as you. The public key, however, can be freely shared with any server or service that you would like to be able to verify your identity.

5. (Optional) If you add your key to the ssh agent, you won't need to enter your key's password every time you use it. On ubuntu you can do this with ssh-add ~/.ssh/id_ed25519 (replace with the name of the key you generated in the previous steps).

6 Adding a SSH key to a host's authorized keys

6. If you add your key to the host's "authorized keys", you can connect without entering your password for that server every time. Some hosts will not allow any SSH connections that are not explicitly included in their authorized keys. To do this, connect to the host and open the file ~/.ssh/authorized_keys. Copy your public key, not your private key, and paste it in a new line in the authorized keys file.

7 Set up a new workstation

Do this when you build/buy a new computer and want to connect it to the lab network. This will give you access to the features of our lab network, such as login with your lab account and auto-mount of shared data drives. These instructions apply to Ubuntu only - for Mac and/or Windows, you will need to solve (and document) the setup yourself, or simply use the VPN.

1. Install Ubuntu; our workstations are all on 16.04 as of Nov 2020, but should be upgraded to 20.04 in the near future.

2. Assign a desired hostname

3. Plug the computer into an ethernet port on our internal network (LKS)

4. Copy the script activate-netlogin.sh (found here or on finch at /home/ubuntu/activate-netlogin.sh) and run it with default responses

5. Set up SSH: sudo apt-get install ssh and start it with sudo service sshd start

6. Edit the lighdm config: Write the following to the file /etc/lightdm/lightdm.conf.d/50-manual-login.conf

   [Seat:*]
   greeter-show-manual-login=true
   allow-guest=false
   

7. Install vital software: ssh, screen, htop, git

8 Physically accessing the servers

finch is located in aisle 8, LKS 275. All other servers are on the lab rack in the internal corridor (LKS Hall) of LKS275.

To connect to the NAS software on them, you will need to connect by direct ethernet connection (note that normally you can connect to the zdrive Synology Assistant on the lab VPN by connecting to https://zdrive.fet.berkeley.edu:5001, and don't need to be there in person).