Faidon Liambotis has submitted this change and it was merged. Change subject: ssh: remove .ssh/authorized_keys support from prod ......................................................................
ssh: remove .ssh/authorized_keys support from prod This is the scariest patch in this whole changeset: Remove support for $HOME/.ssh/authorized_keys from hosts in production, relying solely on /etc/ssh/userkeys/ instead. This removes the capability from users to set their own authorized_keys which is a good security measure. Combined with /etc/ssh/userkeys being recurse => true, purge => true, this means that no SSH key can be provisioned manually on hosts and puppet and only puppet can control SSH access, also a good security measure. Bug: T92475 Change-Id: Ibe090569a9241ba13bd76a44005483390629dda7 --- D hieradata/hosts/sodium.yaml M hieradata/role/common/ganeti.yaml M modules/ssh/manifests/server.pp 3 files changed, 4 insertions(+), 11 deletions(-) Approvals: Yuvipanda: Looks good to me, but someone else must approve Faidon Liambotis: Looks good to me, approved jenkins-bot: Verified diff --git a/hieradata/hosts/sodium.yaml b/hieradata/hosts/sodium.yaml deleted file mode 100644 index 2cac849..0000000 --- a/hieradata/hosts/sodium.yaml +++ /dev/null @@ -1 +0,0 @@ -ssh::server::authorized_keys_file: %h/.ssh/authorized_keys diff --git a/hieradata/role/common/ganeti.yaml b/hieradata/role/common/ganeti.yaml index 728511c..f3f2d58 100644 --- a/hieradata/role/common/ganeti.yaml +++ b/hieradata/role/common/ganeti.yaml @@ -1,4 +1,4 @@ -ssh::server::authorized_keys_file: /etc/ssh/userkeys/%u /etc/ssh/userkeys/%u.d/ganeti .ssh/authorized_keys +ssh::server::authorized_keys_file: /etc/ssh/userkeys/%u /etc/ssh/userkeys/%u.d/ganeti ganeti::ganeti01.svc.codfw.wmnet::nodes: - ganeti2001.codfw.wmnet - ganeti2002.codfw.wmnet diff --git a/modules/ssh/manifests/server.pp b/modules/ssh/manifests/server.pp index 0ff6869..dce0cae 100644 --- a/modules/ssh/manifests/server.pp +++ b/modules/ssh/manifests/server.pp @@ -18,16 +18,10 @@ if $authorized_keys_file { $ssh_authorized_keys_file = $authorized_keys_file + } elsif ($::realm == 'labs' and os_version('ubuntu <= precise')) { + $ssh_authorized_keys_file ='/etc/ssh/userkeys/%u /public/keys/%u/.ssh/authorized_keys' } else { - if ($::realm == 'labs') { - if os_version('ubuntu <= precise') { - $ssh_authorized_keys_file ='/etc/ssh/userkeys/%u /public/keys/%u/.ssh/authorized_keys' - } else { - $ssh_authorized_keys_file = '/etc/ssh/userkeys/%u' - } - } else { - $ssh_authorized_keys_file ='/etc/ssh/userkeys/%u .ssh/authorized_keys .ssh/authorized_keys2' - } + $ssh_authorized_keys_file ='/etc/ssh/userkeys/%u' } file { '/etc/ssh/userkeys': -- To view, visit https://gerrit.wikimedia.org/r/183824 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ibe090569a9241ba13bd76a44005483390629dda7 Gerrit-PatchSet: 8 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org> Gerrit-Reviewer: Yuvipanda <yuvipa...@gmail.com> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits