FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Infrastructure

 
 
LinkBack Thread Tools
 
Old 04-10-2012, 09:37 PM
Kevin Fenzi
 
Default kickstarts, installs and root ssh keys

On Tue, 10 Apr 2012 17:11:14 -0400
seth vidal <skvidal@fedoraproject.org> wrote:

>
> Hi all,
>
> Need some feedback. Since I've been playing with/working on
> ansible(http://ansible.github.com) it has raised some questions as to
> what we will allow/not allow for setting up hosts.
>
> Here's what I'd like to do:
>
> 1. allow lockbox01-only and ssh-key-only access, as root, via ssh to
> our systems. This would be an ssh key only on lockbox and owned by
> root (or possibly by sysadmin-main or other localgroup - like the
> private git repo).
>
> 2. have the root authorized_keys be available from
> infrastructure.fedoraproject.org via http (restricted to the hosts we
> allow, of course)
>
> 3. setup our kickstart %post to suck down these keys.
>
> This will enable me to streamline our installation process
> considerably. Right now there are a number of manual steps in our
> reinstall process. These manual steps are.... errorprone. I'd like to
> eliminate them.

...snip...

So, to be clear this is not replacing puppet or anything, simply making
our re-install/installs more automated, right?

I'm ok with this. We should also make sure access using this is logged
and appears in our usual reports so we can keep an eye on it.

kevin
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 04-10-2012, 09:38 PM
Jan-Frode Myklebust
 
Default kickstarts, installs and root ssh keys

On Tue, Apr 10, 2012 at 05:11:14PM -0400, seth vidal wrote:
>
> 1. allow lockbox01-only and ssh-key-only access, as root, via ssh to
> our systems. This would be an ssh key only on lockbox and owned by root

I'm no fan of passphrase-less ssh-keys.. as they turn read-random-file
vulnerabilities into full root exploits.

Wouldn't it be better to have root's authorized_keys file contain the
pubkeys of each individual admin that should be allowed to ssh from
lockbox01 (prefixed with from=lockbox01 of course) ? Or is this too much
hassle to maintain?


-jf
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 04-10-2012, 09:39 PM
seth vidal
 
Default kickstarts, installs and root ssh keys

On Tue, 10 Apr 2012 15:37:18 -0600
Kevin Fenzi <kevin@scrye.com> wrote:

> ...snip...
>
> So, to be clear this is not replacing puppet or anything, simply
> making our re-install/installs more automated, right?

Not yet, no.


long term I would like to kill it with fire.

-sv
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 04-10-2012, 09:48 PM
Tristan Santore
 
Default kickstarts, installs and root ssh keys

On 10/04/12 22:11, seth vidal wrote:
>
> Hi all,
>
> Need some feedback. Since I've been playing with/working on
> ansible(http://ansible.github.com) it has raised some questions as to
> what we will allow/not allow for setting up hosts.
>
> Here's what I'd like to do:
>
> 1. allow lockbox01-only and ssh-key-only access, as root, via ssh to
> our systems. This would be an ssh key only on lockbox and owned by root
> (or possibly by sysadmin-main or other localgroup - like the private
> git repo).
>
> 2. have the root authorized_keys be available from
> infrastructure.fedoraproject.org via http (restricted to the hosts we
> allow, of course)
>
> 3. setup our kickstart %post to suck down these keys.
>
> This will enable me to streamline our installation process
> considerably. Right now there are a number of manual steps in our
> reinstall process. These manual steps are.... errorprone. I'd like to
> eliminate them.
>
>
> Right now we expose access to our systems via func - which is a daemon
> running as root which auth's using the puppet ssl cert/keys from
> lockbox01. The change to allowing ssh-in as root is not a considerably
> larger attack surface. The only exception is that ssh is available to
> various places for some of our systems, while func's ports are not.
>
>
> I'd like to hear some thoughts on making this change. If no one objects
> then I'll make this happen.
> thanks,
>
> -sv
> _______________________________________________
> infrastructure mailing list
> infrastructure@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
I must say, ansible does look interesting. Just the whole sshd thing
kinda is a put off. But I will look into this a bit more the next days.
But it does most certainly sound like a good effort (the start of).

And Michael is once again involved in a very interesting project, that
should turn out to be very useful indeed.

Thanks for bringing this to our attention.

Regards,

Tristan

--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@internexusconnect.net

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore@fedoraproject.org
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 
Old 04-10-2012, 10:20 PM
seth vidal
 
Default kickstarts, installs and root ssh keys

On Tue, 10 Apr 2012 22:48:04 +0100
Tristan Santore <tristan.santore@internexusconnect.net> wrote:


> I must say, ansible does look interesting. Just the whole sshd thing
> kinda is a put off. But I will look into this a bit more the next
> days. But it does most certainly sound like a good effort (the start
> of).
>


Why is sshd a put off? sshd makes sense if only for
provisioning/deployment b/c it is available for ever cloud instance
ever spun up - and for the overwhelming majority of systems I've ever
touched.

-sv
_______________________________________________
infrastructure mailing list
infrastructure@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/infrastructure
 

Thread Tools




All times are GMT. The time now is 10:26 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org