FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 04-10-2012, 09:11 PM
seth vidal
 
Default kickstarts, installs and root ssh keys

Hi all,

Need some feedback. Since I've been playing with/working on
ansible(http://ansible.github.com) it has raised some questions as to
what we will allow/not allow for setting up hosts.

Here's what I'd like to do:

1. allow lockbox01-only and ssh-key-only access, as root, via ssh to
our systems. This would be an ssh key only on lockbox and owned by root
(or possibly by sysadmin-main or other localgroup - like the private
git repo).

2. have the root authorized_keys be available from
infrastructure.fedoraproject.org via http (restricted to the hosts we
allow, of course)

3. setup our kickstart %post to suck down these keys.

This will enable me to streamline our installation process
considerably. Right now there are a number of manual steps in our
reinstall process. These manual steps are.... errorprone. I'd like to
eliminate them.


Right now we expose access to our systems via func - which is a daemon
running as root which auth's using the puppet ssl cert/keys from
lockbox01. The change to allowing ssh-in as root is not a considerably
larger attack surface. The only exception is that ssh is available to
various places for some of our systems, while func's ports are not.


I'd like to hear some thoughts on making this change. If no one objects
then I'll make this happen.
thanks,

-sv
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 

Thread Tools




All times are GMT. The time now is 07:12 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org