Page MenuHomeDevCentral
Differential D1336

Run a secondary SSH server for OTP purpose
ClosedPublic
Actions

Authored by dereckson on Feb 19 2018, 16:17.
Tags
None
Referenced Files
F3774282: D1336.id3427.diff
Sun, Nov 24, 10:53
F3774117: D1336.id3429.diff
Sun, Nov 24, 09:51
F3774029: D1336.id3428.diff
Sun, Nov 24, 09:23
F3773674: D1336.diff
Sun, Nov 24, 08:04
Unknown Object (File)
Fri, Nov 22, 05:09
Unknown Object (File)
Sun, Nov 17, 18:15
Unknown Object (File)
Sun, Nov 17, 06:38
Unknown Object (File)
Sun, Nov 17, 06:17
View All Files
Subscribers
None

Details

Reviewers
dereckson
Commits
rOPSdea23f79b7b8: Run a secondary SSH server for OTP purpose
Summary

On Nasqueron servers, sshd on the port 22 is configured to accept only keys.
That configuration helps the user to know the passphrase prompt
is managed by their SSH client when they don't use an agent.

This situation could become more confusing if we add OTP, an interactive
prompt handled by the server.

To avoid such confusion, we run two SSH servers:

  • on the port 22: public key authentication only
  • on the port 5022: key + OTP
Test Plan

Deploy on Ysul and Eglide

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Passed
Unit
No Test Coverage
Branch
sshd-otp
Build Status
Buildable 2110
Build 2358: arc lint + arc unit

Event Timeline

dereckson requested review of this revision.Feb 19 2018, 16:17
dereckson created this revision.
Harbormaster completed remote builds in B2110: Diff 3427.Feb 19 2018, 16:17
dereckson added a comment.Feb 19 2018, 16:25

Works with ssh -p 5022 -o PubkeyAuthentication=No ysul.nasqueron.org.

dereckson planned changes to this revision.Feb 19 2018, 16:27
dereckson added inline comments.
roles/core/sshd/files/sshd.rc
79

root@ysul:/usr/home/dereckson # /usr/local/etc/rc.d/sshd-otp oneconfigtest
Performing sanity check on sshd-otp configuration.
eval: -otp_program: not found

89

/usr/local/etc/rc.d/sshd-otp: WARNING: run_rc_command: cannot run -otp_program

dereckson updated this revision to Diff 3428.Feb 19 2018, 18:51

Fix service

Harbormaster completed remote builds in B2111: Diff 3428.Feb 19 2018, 18:51
dereckson updated this revision to Diff 3429.Feb 19 2018, 19:22

Improve service handling

Harbormaster completed remote builds in B2112: Diff 3429.Feb 19 2018, 19:22
dereckson accepted this revision.Feb 19 2018, 19:22
This revision is now accepted and ready to land.Feb 19 2018, 19:22
Closed by commit rOPSdea23f79b7b8: Run a secondary SSH server for OTP purpose (authored by dereckson). · Explain WhyFeb 19 2018, 19:23
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
4 lines
roles/
bastion/
1 line
sshd-otp/
files/
34 lines
50 lines
core/
sshd/
files/
89 lines
21 lines

Diff 3427

View Options

map.jinja

Loading...
View Options

roles/bastion/init.sls

Loading...
View Options

roles/bastion/sshd-otp/files/sshd_config

Loading...
View Options

roles/bastion/sshd-otp/init.sls

Loading...
View Options

roles/core/sshd/files/sshd.rc

Loading...
View Options

roles/core/sshd/files/sshd.service

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator