Faidon Liambotis has submitted this change and it was merged.
Change subject: ssh: remove .ssh/authorized_keys support from prod
......................................................................
ssh: remove .ssh/authorized_keys support from prod
This is the scariest patch in this whole changeset:
Remove support for $HOME/.ssh/authorized_keys from hosts in production,
relying solely on /etc/ssh/userkeys/ instead. This removes the
capability from users to set their own authorized_keys which is a good
security measure.
Combined with /etc/ssh/userkeys being recurse => true, purge => true,
this means that no SSH key can be provisioned manually on hosts and
puppet and only puppet can control SSH access, also a good security
measure.
Bug: T92475
Change-Id: Ibe090569a9241ba13bd76a44005483390629dda7
---
D hieradata/hosts/sodium.yaml
M hieradata/role/common/ganeti.yaml
M modules/ssh/manifests/server.pp
3 files changed, 4 insertions(+), 11 deletions(-)
Approvals:
Yuvipanda: Looks good to me, but someone else must approve
Faidon Liambotis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/hieradata/hosts/sodium.yaml b/hieradata/hosts/sodium.yaml
deleted file mode 100644
index 2cac849..0000000
--- a/hieradata/hosts/sodium.yaml
+++ /dev/null
@@ -1 +0,0 @@
-ssh::server::authorized_keys_file: %h/.ssh/authorized_keys
diff --git a/hieradata/role/common/ganeti.yaml
b/hieradata/role/common/ganeti.yaml
index 728511c..f3f2d58 100644
--- a/hieradata/role/common/ganeti.yaml
+++ b/hieradata/role/common/ganeti.yaml
@@ -1,4 +1,4 @@
-ssh::server::authorized_keys_file: /etc/ssh/userkeys/%u
/etc/ssh/userkeys/%u.d/ganeti .ssh/authorized_keys
+ssh::server::authorized_keys_file: /etc/ssh/userkeys/%u
/etc/ssh/userkeys/%u.d/ganeti
ganeti::ganeti01.svc.codfw.wmnet::nodes:
- ganeti2001.codfw.wmnet
- ganeti2002.codfw.wmnet
diff --git a/modules/ssh/manifests/server.pp b/modules/ssh/manifests/server.pp
index 0ff6869..dce0cae 100644
--- a/modules/ssh/manifests/server.pp
+++ b/modules/ssh/manifests/server.pp
@@ -18,16 +18,10 @@
if $authorized_keys_file {
$ssh_authorized_keys_file = $authorized_keys_file
+ } elsif ($::realm == 'labs' and os_version('ubuntu <= precise')) {
+ $ssh_authorized_keys_file ='/etc/ssh/userkeys/%u
/public/keys/%u/.ssh/authorized_keys'
} else {
- if ($::realm == 'labs') {
- if os_version('ubuntu <= precise') {
- $ssh_authorized_keys_file ='/etc/ssh/userkeys/%u
/public/keys/%u/.ssh/authorized_keys'
- } else {
- $ssh_authorized_keys_file = '/etc/ssh/userkeys/%u'
- }
- } else {
- $ssh_authorized_keys_file ='/etc/ssh/userkeys/%u
.ssh/authorized_keys .ssh/authorized_keys2'
- }
+ $ssh_authorized_keys_file ='/etc/ssh/userkeys/%u'
}
file { '/etc/ssh/userkeys':
--
To view, visit https://gerrit.wikimedia.org/r/183824
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ibe090569a9241ba13bd76a44005483390629dda7
Gerrit-PatchSet: 8
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Yuvipanda <yuvipa...@gmail.com>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
