kickstarts, installs and root ssh keys
Christos Triantafyllidis
christos.triantafyllidis at gmail.com
Tue Apr 10 23:26:18 UTC 2012
Hi,
some apprentice feedback!
I'm not a puppet user (except from fedora) but i use a similar logic product (quattor). Of course the case of puppet ssl keys to be "gotten" has typically the same results as a ssh key that provides root access to all nodes but the risk is not always the same. Explaining myself, there are much more automated attacks that can use a ssh key (i.e. combined with the hosts in authorized_keys) in no time, while using the puppet way will most probably be a targeted attack (not saying though that fedora's infrastructure doesn't qualify as target).
Haven't check the whole documentation yet but doesn't this thing allow usage of ssh key agents? if so it would be much much better if the key is encrypted.
We use something similar (pdsh) for our fabric and practice revealed that following additions to the authorized_keys made audit much easier:
a) have a "from=lockbox01" as Jan-Frode already mentioned
b) have a simple script in "command=" that will log remotely executed commands, i use the following (logging directly to my mailbox):
command="echo Executed command: ${SSH_ORIGINAL_COMMAND:-$SHELL}| mail -s \"root key usage at `hostname -f`\" my at e.mail && exec ${SSH_ORIGINAL_COMMAND:-$SHELL}"
This way even if the attacker manages to get the key AND the passphrase AND have access to the node that is allowed to use it, his action will at least be logged.
Regards,
Christos
On Apr 11, 2012, at 1:34 AM, Stephen John Smoogen wrote:
> On 10 April 2012 15:48, Tristan Santore
> <tristan.santore at internexusconnect.net> wrote:
>> On 10/04/12 22:11, seth vidal wrote:
>>>
>
>> I must say, ansible does look interesting. Just the whole sshd thing
>> kinda is a put off. But I will look into this a bit more the next days.
>> But it does most certainly sound like a good effort (the start of).
>>
>> And Michael is once again involved in a very interesting project, that
>> should turn out to be very useful indeed.
>
> Coming from the old school.. I had this initial reaction.. I am
> letting a root login from a system on the internet.. but then I
> realized that in reality this does not seem any less secure than the
> puppet or similar setups. If the ssh key is "gotten" it is no less a
> problem than if the puppet ssl keys are gotten, and possibly less
> likely to be auditable.
>
> I think in this case a look at why you feel uncomfortable needs to be
> written out a bit more to make sure if it is a "well we didn't think
> of that scenario" or a "well for 10+ years I have made sure ssh wasn't
> root loggable or autopassworded in and this makes me feel icky." type
> feeling.
>
>> Thanks for bringing this to our attention.
>>
>> Regards,
>>
>> Tristan
>>
>> --
>> Tristan Santore BSc MBCS
>> TS4523-RIPE
>> Network and Infrastructure Operations
>> InterNexusConnect
>> Mobile +44-78-55069812
>> Tristan.Santore at internexusconnect.net
>>
>> Former Thawte Notary
>> (Please note: Thawte has closed its WoT programme down,
>> and I am therefore no longer able to accredit trust)
>>
>> For Fedora related issues, please email me at:
>> TSantore at fedoraproject.org
>> _______________________________________________
>> infrastructure mailing list
>> infrastructure at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
>
>
>
> --
> Stephen J Smoogen.
> "The core skill of innovators is error recovery, not failure avoidance."
> Randy Nelson, President of Pixar University.
> "Years ago my mother used to say to me,... Elwood, you must be oh
> so smart or oh so pleasant. Well, for years I was smart. I
> recommend pleasant. You may quote me." —James Stewart as Elwood P. Dowd
> _______________________________________________
> infrastructure mailing list
> infrastructure at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/infrastructure
More information about the infrastructure
mailing list