Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Infrastructure (http://www.linux-archive.org/fedora-infrastructure/)
-   -   kickstarts, installs and root ssh keys (http://www.linux-archive.org/fedora-infrastructure/654682-kickstarts-installs-root-ssh-keys.html)

seth vidal 04-10-2012 09:11 PM

kickstarts, installs and root ssh keys
 
Hi all,

Need some feedback. Since I've been playing with/working on
ansible(http://ansible.github.com) it has raised some questions as to
what we will allow/not allow for setting up hosts.

Here's what I'd like to do:

1. allow lockbox01-only and ssh-key-only access, as root, via ssh to
our systems. This would be an ssh key only on lockbox and owned by root
(or possibly by sysadmin-main or other localgroup - like the private
git repo).

2. have the root authorized_keys be available from
infrastructure.fedoraproject.org via http (restricted to the hosts we
allow, of course)

3. setup our kickstart %post to suck down these keys.

This will enable me to streamline our installation process
considerably. Right now there are a number of manual steps in our
reinstall process. These manual steps are.... errorprone. I'd like to
eliminate them.


Right now we expose access to our systems via func - which is a daemon
running as root which auth's using the puppet ssl cert/keys from
lockbox01. The change to allowing ssh-in as root is not a considerably
larger attack surface. The only exception is that ssh is available to
various places for some of our systems, while func's ports are not.


I'd like to hear some thoughts on making this change. If no one objects
then I'll make this happen.
thanks,

-sv
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure


All times are GMT. The time now is 05:03 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.