To get access to your pdu/port, you need to provide Koumbit with at least one static ip from which you wish to initiate the ssh connection. This is because we only enable certain IPs to access this device to minimize bruteforce and other nasty traffic.

Console interface

American Power Conversion               Web/SNMP Management Card AOS     v2.0.1
(c) Copyright 1999 All Rights Reserved  MasterSwitch APP                 v2.0.1
-------------------------------------------------------------------------------
Name      : pdu0-canix2.koumbit.net     Date    : 07/03/2007
Contact   : support@koumbit.org         Time    : 16:36:20
Location  : Canix2                      Up Time : 0 Days 0 Hours 0 Minutes
Status    : P+ N+ A+                    User    : Administrator

MasterSwitch : Serial Communication Established

------- Control Console -------------------------------------------------------

     1- Device Manager
     2- Network
     3- System
     4- Logout

     ?- Help, <ESC>- Refresh Main Menu, <ENTER>- Refresh

Rebooting a server

Exemple sur pdu1

  1. Log in (ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 <user>@pdu1.koumbit.net)

  2. 1<ENTER> (device manager)

  3. N<ENTER>` (choose device, where N is the device number)

  4. 1<ENTER> (control outlet)

  5. 3<ENTER> (immediate reboot)

[...] remaining of documentation missing because I do not want to reboot a server just for this... you get the idea.

Firewalled access

The management device in the PDUs is quite the puny computer. It is not able to withstand the usual bruteforce that an ssh server will receive from the Internet: devices used to crash all the time because of that load.

Because of this -- and also because we want to reduce the attack surface, since PDUs are a critical point in the infrastructure -- only a handful of hosts external to our datacenter are allowed to connect through to the PDUs.

Contact Koumbit support when you want to update the list of IP addresses that are allowed in to the PDUs.

Configuring your ssh client

The PDUs have an embedded computer called the "management interface" that runs proprietary firmware and rarely gets updated. Because of this, the encryption it uses is ancient.

The encryption is now so ancient that recent openssh clients will refuse to connect to the PDU. The RSA keys generated by the devices are only 768 bits long, and the most recent firmware for them does not offer the possibility to generate a larger key.

If you have an error message like the following when connecting, then you need to use a version of OpenSSH prior to 7.6p1 (debian jessie or older):

ssh_dispatch_run_fatal: Connection to UNKNOWN port 65535: Invalid key length

In order to connect to the PDUs with ssh you might need the following configuration snippet in your ~/.ssh/config:

  PasswordAuthentication yes
  Ciphers aes128-cbc,aes256-cbc
  KexAlgorithms diffie-hellman-group1-sha1
  MACs hmac-sha1

OR

Right on the command line.

 $ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 <pdu host> -l <your username>

Web interface

We generally disable the web interface since we prefer to rely on ssh.


CategoryPdu

PduGuide (last edited 2019-08-02 21:37:10 by gabriel)