Recently, I added a new user, and then found out afterwards that they had mistakenly used the same ssh key in labs and production. Our L3 document clearly states that no one should do that, but mistakes happen.
I recall @ArielGlenn conducting an audit over a year ago (and finding quite a few back then and getting them fixed.) We're overdue for checking this again.
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| admin: deactivate shell for user mvolz | operations/puppet | production | +3 -3 |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | None | T108078 audit labs versus production ssh keys | |||
| Resolved | RobH | T108100 revoke mvolz production access | |||
| Resolved | Andrew | T108111 Replace jdouglas's production ssh key - it matched labs key | |||
| Resolved | Andrew | T108203 Ops offboarding for jdouglas |
Whoops. You can revoke that key, I haven't needed production access in a
while. https://gerrit.wikimedia.org/r/190405 was the change.
Change 229562 had a related patch set uploaded (by Dzahn):
admin: deactivate shell for user mvolz
Per request, here's the script. Stick it in modules/ldap/files/scripts (operations/puppet clone) on a machine which is connected to labs LDAP, and run it from that directory.
import ldapsupportlib, ldap, yaml ldapSupportLib = ldapsupportlib.LDAPSupportLib() ds = ldapSupportLib.connect() base = "ou=people," + ldapSupportLib.getBase() keys = set() for entry in ds.search_s(base, ldap.SCOPE_SUBTREE, "(objectclass=inetOrgPerson)"): for k, v in entry[1].items(): if k == "sshPublicKey": for v2 in v: key = ' '.join(v2.split(' ')[:2]) keys.update([key]) prodData = yaml.load(open('../../../admin/data/data.yaml')) for userName, userData in prodData['users'].items(): badKeys = list(set(userData['ssh_keys']).intersection(keys)) if len(badKeys) > 0: print userName, badKeys ds.unbind()
@RobH: Do you think we should turn this into some sort of regular check? Not sure icinga necessarily would be appropriate, but...
@Krenair I think in a perfect world it would be detected by jenkins. If somebody touches a file in admin and there is a key in it it would have to compare it to all existing labs keys though and vote -1 if it finds a match. How unrealistic is that?
That would be an annoying check to have fail when trying to do something completely separate. Good idea for new keys being added, but a production key can be added as a labs one at any time.
That said, I think jenkins might be less annoying in operations/puppet than it is where I'm used to it - i.e. VE-MW (where you can't merge anything without either being jenkins or l10n-bot.)
maybe we can get this merged and ask CI team to add it as a non-voting check on operations/puppet and see how it works. then if we like it , just change non-voting to voting
We are all agreed that jenkins failing on this would be pretty annoying, since it could block unrelated changes. BUT surely we can do some sort of regular audit.