Getting rid of a static password#90
Conversation
|
I have a few questions:
Moving to standard |
eriknordmark
left a comment
There was a problem hiding this comment.
Shouldn't we also change sshd_config to not allow any password-based (root) logins?
It might not work for root if there no longer is a root password, but it seems safer to explicitly only allow logins based on authorized_keys.
|
@eriknordmark wrote:
The default |
|
@deitch Since it is a read only filesystem we can't save a generated key or authorized_keys in the container itself; would need to use /config or /persist if that is what we want. |
| # constructing /run/authorized_keys from a static one and also | ||
| # extracting key material from x509 certificates | ||
| cp /config/authorized_keys /run | ||
| bash -c 'ssh-keygen -f <(openssl x509 -in /config/onboard.cert.pem -pubkey -noout) -i -mPKCS8' >> /run/authorized_keys |
There was a problem hiding this comment.
Please make this check if /config/onboard.cert.pem exists before trying to use it.
If the device/image is already onboarded we do not require the existence of that file.
There was a problem hiding this comment.
@eriknordmark good point
Me playing with the on-boarding certs was an attempt to see if we can piggy back off of the trust that is already generated by the cloud. However, after I played with it myself -- I think authorized_keys via /conf on the USB stick is probably the best option for the developers for now.
I'll polish a bit more and will update the pull request
|
@eriknordmark wrote:
Ah, so directly using
Not sure we do want to persist it, if it is generated. Depends what our flow might be to change public keys. If we change them directly, sure. If we are going to change the public cert, then we might want to regenerate with each boot.
So rather than generate from |
|
Also, have we discussed using a CA structure? I am not exactly madly in love with the whole CA structure, at least as far as the public Internet goes; I find it the weak point in https. However, for our restricted purposes, it might work quite well. Instead of
|
|
Confirmed that the version of openssh accepts CA keys. Lots of guides online, but for quick reference, here is a gist |
|
Let me look into this whole TrustedUserCAKeys business a bit more. |
|
Ok, I must say @deitch CA approach got me really thinking. I like it way better than the one I cooked up. But perhaps we can do one better still. As I said -- my objective is to keep cloud part completely oblivious to this implementation (like it is today). If you recall, today, the only ssh relate API from the cloud we're using is configItem API that is used to set debug.enable.ssh:true/false (the key here is completely opaque to the cloud -- and that's how it should be!). So... what if we update go-provision implementation to actually recognize not only true/false but also This will keep cloud completely out of the loop and also keep the scope to this API under very tight config item. What do you think @eriknordmark ? |
Will it? Isn't the Or do you mean that it isn't static in the cloud, and thus the user-to-cloudcontroller API call (or Web UI) would be something like:
I do like it. It eliminates any hard-coding and saving of private keys anywhere, dynamically loading them as needed. I would point out, though, that almost certainly (and rather quickly) we will receive requests to enable saving in the cloud controller of public keys, similar to every public cloud provider (aws, azure, packet, etc.), where they store the public keys. But either way, that can be implemented later. |
|
@rvs My idea a week ago or so was to pass an authorized key using a config item. Whether we do by redefining debug.enable.ssh from a boolean to the string with a key requires some care to not mess up the devices we have in the lab. I'd suggest defining a new config item and then later retiring the boolean. For us and an EVE developer, is it easier to use the CA key approach vs. just specifying the key on my laptop? I think for an EVE developer the CA approach seems overkill. If Zededa engineers need to debug devices in production then a single authorized key should suffice as well. |
In that case I need to apologize @eriknordmark -- it seems that I have misunderstood you. I thought you were talking about zededa cloud actually being aware of the key. If it is just the opaque config item -- it is exactly the same as what I proposed in this thread. At this point, I feel that the choice is between picking CA vs. authorized_keys approaches. Let me come up with a bit more background on either of these before we commit to a final solution. |
|
@deitch @eriknordmark I suggest we close this PR and move both this part of it (and corresponding change to go code) to eve. I've moved this part of it to zededa/eve#23 -- please take a look. @deitch while moving it I realized that we actually lost an ability to ssh directly into the zedctr/pillar container with this patch. Do you think yo can help coming up with some clever trick for setting a shell for root so that it immediately does ? |
|
Let's move this conversation over. I am going to pull the comments across as well, so we can close this one out. |
|
Comments (short form) moved over. @rvs close this one out. |
I've started looking into how to get rid of the ugly static ssh password and came up with this idea. It still needs a bit of polish, but since @eriknordmark wanted to take a look at it -- here it is.
@deitch please let me know if this looks reasonable to you and we can polish it some more