Remote Maintenance via SSH

This is one of the options how we can help you with MoinMoin, more options see on the main support page.

If you run a Linux (or other POSIX OS) machine that is reachable by ssh via the internet, using ssh is often the fastest way for us to help.

Trust SSH (and the supporter)

SSH is a very secure method to do remote maintenance - if you trust us enough to let us temporarily on your server, you don't need to be concerned - all communications via SSH are encrypted and you can easily remove our access again as soon as we are finished.

As we are the good guys (tm), we, of course, won't do anything unrelated to the support task on your server.

In case we see any of your data (we won't look except if needed for the support task), we will treat it confidentially.

If you have a software called "GNU screen" installed, we invite you to watch us working on your server. Read some intro about screen or read the short notes about it below. Please note: you still need to trust the supporter, even if you watch him working while he uses "screen". He still could do stuff you do not see before, in parallel to or after working within the shared screen session.

Giving the supporter SSH access via public key

Giving out root passwords or creating temporary accounts (with sudo priviledges) can be problematic (e.g. you forget to change / remove them later).

As we don't want you to compromise your server security in any way, we suggest a less problematic way to give the supporter access: by installing the public key of the supporter (usually you will get it via email).

This public key is just a text file (e.g. id_rsa.pub) and its contents looks like this:

ssh-rsa AAAAB3Nza...(some random looking characters deleted)...eqEw== supporter@example.org

To let the supporter log into your server's root account (without having to give him the root password), you just do:

ssh-copy-id -i id_rsa.pub root@yourserver
#              ^^^^^^^^^^ this must be the path/filename of the
#                         public key file you got from the supporter

ssh-copy-id will then copy that public key into /root/.ssh/authorized_keys on your server (and also do some sanity checks). That file is also a text file and you see all public keys in there from people who are authorized to login as root via their ssh key.

Only the owner of the matching secret ssh key will get access (and that secret key is usually protected by a passphrase to avoid problems in case someone else gets in possession of that secret key - without the correct passphrase, the secret key file is useless).

Optional: Watching the supporter

Local Server Admin/Owner:

# log into your server:
ssh root@yourserver

# then, after you logged in:
screen

# you usually have to press space or enter to make the screen intro message go away
# if it doesn't work, you maybe do not have "screen" installed. use your package managment
# system to install it (Debian/Ubuntu: apt-get install screen)

Supporter:

# he logs into your server:
ssh root@yourserver

# then, after he logged in, he enters:
screen -rx

Supporter and local server admin/owner are now on same screen and see each other typing!

Using the "w" command now shows who is logged in:

w root
# this outputs something like:
# root pts/1    p57b433b8.dip0.t 18:00    0.00s  0.06s  0.00s w
#               ^^^^^^^^^^^^^^^^ this is the address the login comes from
# Note: this is only an example, the real address will likely be different.

The supporter should shortly tell which line from "w" output belongs to him.

When supporter is finished, he will:

• tell he's finished,
• (if local admin is watching and communicating: talk with him ...)
• say goodbye, terminate the screen session and immediately log out

You can verify that the supporter logged out by using the "w root" command again. The line identifying the root login of the supporter should be gone.

Removing supporter's SSH access

After the supporter has finished his job and logged out, you should remove his access again (or at least not keep it open for him forever).

If you are not already logged into your server as root, do it now.

Edit the file /root/.ssh/authorized_keys and just carefully delete the one line with the public key of the supporter and save.

If (and only if) you don't have any other public keys installed in there, you could also remove the complete file.

After this, the supporter can not log in using his ssh key any more.

SSH tunnelling

Aside from doing remote maintenance via ssh (like typing in shell commands), ssh can also be used to create a tunnel, e.g. to access a web server running on your server (e.g. to test if your MoinMoin installation works, to reproduce some problem with it, etc.).

To do this, the supporter could use a command like:

ssh -L 8000:localhost:80 root@yourserver

After this, he can point his browser to http://localhost:8000/ and the browser access will tunnel through the ssh connection to your webserver and come out at localhost:80 on your server.