Page MenuHomeDevCentral
Create Task
Maniphest T1316

Audit SSH keys
Closed, ResolvedPublic
Actions

Description

We're updating our SSH keys provisioning code in D1187.

In the process, when I tested this state on Eglide in dry-run mode, I noticed some keys diverge between config and server.

I'll reach each user to confirm the keys and update the config accordingly.

DevCentral usernameUsernameAction to takeDate confirmed
@eunutmazerolNothing — the second server key is the correct one2017-11-10 08:49
khmerboyProbably nothing — key committed seems the right one, the previous not removed2017-11-12 13:01
@derecksonderecksonNothing — Keys updated in 6d1bf74 but not applied to Eglide2017-11-11 23:41
@tomjerrtomjerrNothing — Key updated in 90d97e1, former ones not removed but we can clean them2017-10-26 15:38
kazuyaNothing ­— Key updated in 9d5cbec5d, former one not removed
@FRWPKumkumkumkumNothing ­— Key updated in c850066a, former one not removed

The extra keys situation is explained by the fact the full file wasn't managed. Only new keys were added by ssh_keys.present.

With D1187, we'll get a fully managed file, with the header committed this time (ssh_keys.present ignored the # lines when updating the file), and former keys well removed.

Related Objects

Event Timeline

dereckson created this task.Nov 10 2017, 13:44
dereckson updated the task description. (Show Details)Nov 10 2017, 20:16
dereckson updated the task description. (Show Details)Nov 11 2017, 23:57
dereckson updated the task description. (Show Details)
dereckson added subscribers: tomjerr, FRWPKumkum.

So we're waiting on khmerboy confirmation and we can proceed.

dereckson updated the task description. (Show Details)Nov 12 2017, 13:04
dereckson added a comment.EditedNov 12 2017, 13:09
In T1316#16785, @dereckson wrote:

So we're waiting on khmerboy confirmation and we can proceed.

There are actually not one but two keys, with the same date, I think what happened is two keys were generated during the SSH configuration.

I first prepared D1020 with the first key (+wbFQF6HbQ==), login failed, then, khmerboy has tried again and for that generated a second key. I updated D1020 with the second key (N4R4DTbbfQ==), but the first key stays on file, as we used a state ensuring keys are present, not a state populating only with a list of keys.

dereckson updated the task description. (Show Details)Nov 12 2017, 13:21
dereckson added a comment.Nov 12 2017, 23:20

D1187 has been applied to Eglide.

It creates this file for me:

/home/dereckson/.ssh/authorized_keys
#   -------------------------------------------------------------              
#   OpenSSH authorized_keys            
#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -              
#   License:        Trivial work, not eligible to copyright                    
#   Source file:    pillar/core/users.sls                                      
#   -------------------------------------------------------------              
#                                      
#   <auto-generated>                   
#       This file is managed by our rOPS SaltStack repository.                 
#                                      
#       Changes to this file may cause incorrect behavior                      
#       and will be lost if the state is redeployed.                           
#                                      
#       To add a new key or revoke a key, submit a Git commit:                 
#       https://agora.nasqueron.org/How_to_contribute_code                     
#                                      
#       You can also ask Nasqueron operations to do that for you:              
#       https://devcentral.nasqueron.org/maniphest/task/edit/form/3/           
#   </auto-generated>                  

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzD5VzetMFTUHLWrLyBsnZ6bdwDa4Ip9WWAh5nLxKyR dereckson@ysul.nasqueron.org                                                  
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIURiX8gBIv91sxutRQeESip7Ympmqe6miepoNDvXpZ9 dereckson@orin.dereckson.drake                                                
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFGIYBdz8pW4vaSyA/QPlcU81uLI8SHoq7I+K6FPO9oh dereckson@graywell.dereckson.drake                                            
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGV4p25jLQQHLgKH1SawoNLKuxkfyHuERRDUN9QZ7i5m dereckson@yakin.dereckson.drake

This file is expected and deemed correct.

dereckson closed this task as Resolved.Nov 12 2017, 23:20
dereckson claimed this task.
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator