Introduce SSH cert support #867
Conversation
|
Depends on: theforeman/smart_proxy_remote_execution_ssh#126 |
adamlazik1
force-pushed
the
ssh-cert-support
branch
5 times, most recently
from
702e256 to
18db7e9
Compare
|
This is now ready for review. |
manifests/plugin/ansible.pp
Outdated
| } | ||
| $known_hosts_file_option = $foreman_proxy::plugin::remote_execution::script::ssh_host_ca_public_key ? { | ||
| undef => '', | ||
| default => "-o UserKnownHostsFile=${foreman_proxy::plugin::remote_execution::script::ssh_identity_dir}/known_hosts -o UserKnownHostsFile=${foreman_proxy::plugin::remote_execution::script::ssh_ca_known_hosts_file}", |
There was a problem hiding this comment.
Same issue as in remote execution. If we have host CA cert available, should we enforce StrictHostKeyChecking?
|
/packit build |
|
@adamlazik1 could you rebase this please on latest master, so that Packit starts working? |
|
No config file for packit (e.g. For more info, please check out the documentation or contact the Packit team. You can also use our CLI command |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
18db7e9 to
3759635
Compare
|
/packit build |
adamlazik1
force-pushed
the
ssh-cert-support
branch
2 times, most recently
from
f6c78c1 to
5e673ed
Compare
|
Updated ansible ssh args to enforce strict host key checking if host CA is provided. |
|
/packit build |
|
Account lhellebr has no write access nor is author of PR! |
|
/packit build |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
5e673ed to
3bdd6b6
Compare
|
Switching back to draft since the feature got postponed to 3.16 |
| # $ssh_identity_file:: Provide an alternative name for the SSH keys | ||
| # | ||
| # $ssh_keygen:: Location of the ssh-keygen binary | ||
| # $ssh_user_ca_public_key_file:: Public key file for the SSH CA certificate |
There was a problem hiding this comment.
Should we unify with the host CA key behavior and pass the public key contents instead of a path? I would solve issues with permissions.
There was a problem hiding this comment.
From security POV, it should be fine since the CA key is public. But how long is it? How long will it eventually be? Maybe the shell won't like a line that long. I think this kind of data shouldn't be passed in the command line. OTOH, if it's consistent with something we already have, it may be the least confusing.
The permission issues themselves can be solved by documentation + help text.
There was a problem hiding this comment.
I see, thanks for your input. You have a good point with possible future length, so I will probably leave it as it is.
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
3bdd6b6 to
a9906b3
Compare
|
/packit build |
|
Account lhellebr has no write access nor is author of PR! |
|
/packit build |
|
/packit build |
|
Account adamruzicka has no write access nor is author of PR! |
|
/packit build |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
a9906b3 to
97c756e
Compare
|
/packit build |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
97c756e to
60cd6a8
Compare
|
/packit build |
1 similar comment
|
/packit build |
|
Account lhellebr has no write access nor is author of PR! |
|
/packit build |
| <% if ssh_user_ca_public_key_file = scope.lookupvar('::foreman_proxy::plugin::remote_execution::script::ssh_user_ca_public_key_file') -%> | ||
| :ssh_user_ca_public_key_file: <%= ssh_user_ca_public_key_file %> | ||
| <% end -%> | ||
| <% if ssh_host_ca_public_key = scope.lookupvar('::foreman_proxy::plugin::remote_execution::script::ssh_host_ca_public_key') -%> |
There was a problem hiding this comment.
ssh_host_ca_public_key is never used here?
There was a problem hiding this comment.
True, that is a remnant from the previous iteration. However; since it doesn't change the functionality I will not update the PR since with the switch to foremanctl the installer will not be used for SSH certs anyway. The purpose of this PR became to just enable us to verify the rest of the SSH cert feature on current stream deployments.
There was a problem hiding this comment.
I think the PR will still be merged before migration to the new installer? I'm planning to verify the feature as o complex of current 4 PRs.
| # $ssh_user_ca_public_key_file:: Public key file for the SSH CA certificate | ||
| # | ||
| # $ssh_kerberos_auth:: Enable kerberos authentication for SSH | ||
| # $ssh_host_ca_public_key:: Trusted host CA public key |
There was a problem hiding this comment.
Why the inconsistency? We take the foreman CA public key as file path but the host CA public key as its content from command line. I think it's suboptimal, how long is the key, how long may it be in the future?
There was a problem hiding this comment.
Additional editing is needed when registering host CA pubkey (@host-certificate ...). While the actual user CA pubkey file is expected to be present on the capsule as it is distributed to new hosts, this is not the case for host CA pubkey file. We only require the contents.
There was a problem hiding this comment.
Of course, arguments could be made that similarly we could pass contents of the user CA pubkey as installer is able to create its own file, ensuring the correct permissions. I can take this point into consideration when implementing this in foremanctl.
There was a problem hiding this comment.
I think the best solution is to take path in both cases and in cases of host CA, just get the key from the file and put it in the config file.
lhellebr
left a comment
lhellebr
left a comment
There was a problem hiding this comment.
I have been able to verify the SSH CA cert feature as a complex of the following 4 PRs:
theforeman/smart_proxy_remote_execution_ssh#126
theforeman/foreman#10571
theforeman/foreman_remote_execution#977
#867
Including the following use cases:
SSH REX
Ansible REX
Pull mode REX
Cockpit
Including hosts created by:
Global registration
Provisioning
Including scenarios:
SSH CA on Satellite side
SSH CA on host side
SSH CA on both sides
Both positive scenarios and negative scenarios, that is incorrect CA, incorrect cert, incorrect principal.
=> ACK to this PR
5 participants
No description provided.