Page MenuHomePhabricator
Create Task
Maniphest T132225

Add SSHFP dns records to bastions
Open, LowPublic
Actions

Description

Since Horizon supports it now, we can add ssh fingerprints to DNS to allow people to easily verify them.

Related Objects
Search...

StatusSubtypeAssignedTask
 OpenNoneT132225 Add SSHFP dns records to bastions
ResolvedaborreroT212302 CloudVPS: upgrade: jessie -> stretch & mitaka -> newton
 ResolvedaborreroT214299 cloudvps: neutron: upgrade jessie -> stretch
 ResolvedaborreroT214167 labtestneutron2001: reimage to stretch & rename to cloudnet2001-dev
 ResolvedPapaulT214181 codfw: rename/relabel labtestneutron2001 to cloudnet2001-dev
 Resolved JHeddenT214297 cloudvps: neutron: investigate keepalived warning
 ResolvedaborreroT214303 labtestneutron2002: reimage to stretch & rename to cloudnet2002-dev
 ResolvedaborreroT214322 cloudnet2002-dev: ACPI error
 ResolvedPapaulT214370 labtestneutron2002: refresh/rename to cloudnet2002-dev
 ResolvedaborreroT215407 cloudvps: cloudcontrol support for mitaka/stretch
 ResolvedaborreroT215605 cloudvps: missing packages in stretch for cloudcontrol servers
 ResolvedaborreroT223832 puppet vs. stretch vs. keystone
 ResolvedaborreroT216497 CloudVPS: workaround archival of jessie-backports repo
 ResolvedAndrewT221769 Upgrade cloudservices1003/1004 to stretch/mitaka
 ResolvedaborreroT224354 backport pdns-server version 3.x to Stretch
 ResolvedaborreroT224877 prometheus-pdns-exporter: add stretch support
 ResolvedAndrewT221770 Upgrade cloucontrol1003/1004 to stretch/mitaka
 ResolvedaborreroT224345 stretch build of prometheus-openstack-exporter incompatible with our mitaka apt repo
 ResolvedaborreroT224424 cloudservices1003: gateway timeout error
 ResolvedAndrewT233258 designate: switch from designate-pool-manager to designate-producer/designate-worker
 Resolved MarosteguiT233978 Drop 'designate_pool_manager' database from m5 and remove associated grants
 ResolvedaborreroT233665 Forward our neutron-l3-agent routing hacks to Openstack Newton
 ResolvedAndrewT234834 Various user visible errors in Cloud VPS projects following OpenStack upgrade on 2019-10-07
 DuplicateNoneT234830 CloudVPS: m5-master databases for openstack may require re-encoding
 ResolvedAndrewT234876 nova-conductor running out of mysql connections
 ResolvedAndrewT234836 CloudVPS: update DNS record for eqiad1 egress (routing_source_ip) & ingress
Invalid JHeddenT235070 Resolve keystone schema errors

Event Timeline

yuvipanda created this task.Apr 8 2016, 10:51 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptApr 8 2016, 10:51 PM
chasemp triaged this task as Low priority.May 31 2016, 3:25 PM
AlexMonk-WMF subscribed.Jul 25 2016, 6:18 PM

This should be trivial for bastion (and tools, which has it's own bastion?) projectadmins to do:

krenair@bastion-01:~$ ssh-keygen -r bastion.wmflabs.org
bastion.wmflabs.org IN SSHFP 1 1 ad3b75b45ee16b8594439d73840772396c99d3fb
bastion.wmflabs.org IN SSHFP 1 2 7f3f61e323a7d75de08a2a6069b333e925cae260f4902017194002f226db8658
bastion.wmflabs.org IN SSHFP 2 1 9a042e0e78ab1abf19ce7979b5570aca798ee034
bastion.wmflabs.org IN SSHFP 2 2 18369baebbf4b623f41837a28e653fc15fbf72d20f31e15ba12810c324a943dc
bastion.wmflabs.org IN SSHFP 3 1 30456f68cad67c5f52c25c39c5a8baf309ab6598
bastion.wmflabs.org IN SSHFP 3 2 b3ec6e2e8f753dc54815c15dc4f402ec85e02769d8c5a5dca9aedb284effb9f0
bastion.wmflabs.org IN SSHFP 4 1 fc51eadaa3a17145657dbafd234d5bae53becc45
bastion.wmflabs.org IN SSHFP 4 2 2296db90c208d102bebd489a8ba76f416879536f88c07d3ec57ab6552f5be351
krenair@tools-bastion-03:~$ ssh-keygen -r login.tools.wmflabs.org
login.tools.wmflabs.org IN SSHFP 1 1 f9b98d018bafdbaf390d0fa603da6882bf7da9b4
login.tools.wmflabs.org IN SSHFP 1 2 78e034b15dee10a676c2e3cf433d848497d941c2e36534ebb6aed9465275a793
login.tools.wmflabs.org IN SSHFP 2 1 81491932175103262e207761cd2fc149df049ea1
login.tools.wmflabs.org IN SSHFP 2 2 cbd7461befdc188a3a36cc041b64f8cffb1de2e314c5a94d9cf531a4eba42b03
login.tools.wmflabs.org IN SSHFP 3 1 44e8d3f9c7f8a6b7cc024abe37b1915218528dbf
login.tools.wmflabs.org IN SSHFP 3 2 4f26cdb48a0499469c6712a2f3705160fdd0f9331e2b9965c6e308e9db812844
login.tools.wmflabs.org IN SSHFP 4 1 8cc699d55f64202fc4478f82501cf815e986217f
login.tools.wmflabs.org IN SSHFP 4 2 c433838e45b99ab1552c514dcf893df08fac2ec723db09d21d5faf8e0e8240f1
Stashbot subscribed.Aug 4 2016, 12:18 AM

Mentioned in SAL [2016-08-04T00:18:53Z] <yuvipanda> added Krenair as admin to help with T132225 and other issues

Stashbot added a comment.Aug 4 2016, 12:19 AM

Mentioned in SAL [2016-08-04T00:19:08Z] <yuvipanda> added Krenair as admin to help with T132225 and other issues.

tom29739 subscribed.Aug 4 2016, 12:47 AM
AlexMonk-WMF added a comment.EditedAug 4 2016, 12:52 AM

I just tried this with primary.bastion.wmflabs.org, but Horizon won't let me create algorithm 4 (ED25519) fingerprint records. Also, Designate won't let me create algorithm 3 (ECDSA) or SHA256 records (the longer ones, with fingerprint type 2), it says Error: Provided object does not match schema
This makes SSH *really* hate logging in

AlexMonk-WMF added a comment.EditedAug 4 2016, 1:08 AM

Fix submitted upstream to designate-dashboard for validation of ED25519 records:
https://review.openstack.org/350847

AlexMonk-WMF changed the task status from Open to Stalled.Aug 4 2016, 1:23 AM
AlexMonk-WMF added a project: Upstream.

Fix submitted upstream to designate for validation of ECDSA, ED25519 and SHA-256 records: https://review.openstack.org/350850
Marking this as stalled, I guess until we upgrade to Newton?

AlexMonk-WMF moved this task from Backlog to Patch proposed upstream on the Upstream board.Aug 4 2016, 1:23 AM
AlexMonk-WMF added a comment.Aug 4 2016, 1:25 AM

(Removing the primary.bastion.wmflabs.org SSHFP records until then)

AlexMonk-WMF moved this task from Patch proposed upstream to Patch merged upstream on the Upstream board.Aug 25 2016, 9:52 PM

The patches are merged, we'll probably need to wait for OpenStack Newton to use it (we currently run Liberty with labtesthorizon on Mitaka) unless they backport to Mitaka I guess.

AlexMonk-WMF added a comment.Aug 25 2016, 9:57 PM

They might backport it actually - see http://eavesdrop.openstack.org/meetings/designate/2016/designate.2016-08-17-16.59.html

AlexMonk-WMF added a subtask: T145920: (eventually) Upgrade Labs to OpenStack Newton.Sep 17 2016, 2:50 AM
AlexMonk-WMF added a comment.Sep 28 2016, 2:39 PM

So the Designate side of this (the bit that's really required) is being backported to Mitaka in https://review.openstack.org/#/c/374308/

AlexMonk-WMF added a comment.Sep 28 2016, 8:11 PM

Okay I mentioned it during the designate meeting today and it's been approved - that's now on the mitaka stable branch. It'd probably become available through the mitaka packages once they release a new version of designate for mitaka, which would contain that patch.

scfc moved this task from Backlog to Ready to be worked on on the Toolforge board.Dec 4 2016, 8:44 PM
scfc added subscribers: Krenair, scfc.Feb 18 2017, 5:12 PM

AFAICT, new packages have not been released yet. To check, I downloaded python-designate_1~2.0.0-2~bpo8+1_all.deb from http://mitaka-jessie.pkgs.mirantis.com/debian/pool/jessie-mitaka-backports/main/d/designate/ and looked at /usr/lib/python2.7/dist-packages/designate/schema/format.py in that package which currently contains the line:

RE_SSHFP_FINGERPRINT = r'^[0-9A-Fa-f]{40}\Z'

and which, for @Krenair's patch to have been applied, should say:

RE_SSHFP_FINGERPRINT = r'^([0-9A-Fa-f]{10,40}|[0-9A-Fa-f]{64})\Z'

(Yes, the timestamp of the package would have been a clue as well, but I wanted to verify where the patch would show up and which version does not have the patch applied.)

Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:43 PM
GTirloni edited projects, added cloud-services-team (Kanban), Cloud-VPS; removed Cloud-Services.Mar 21 2019, 4:56 PM
Krenair edited subtasks, added: T212302: CloudVPS: upgrade: jessie -> stretch & mitaka -> newton; removed: T145920: (eventually) Upgrade Labs to OpenStack Newton.Apr 14 2019, 3:53 AM
bd808 moved this task from Inbox to Blocked on the cloud-services-team (Kanban) board.Sep 12 2019, 9:16 PM
aborrero closed subtask T212302: CloudVPS: upgrade: jessie -> stretch & mitaka -> newton as Resolved.Oct 23 2019, 3:45 PM
bd808 moved this task from Unsorted to DNS (Designate + pdns-recursor) on the Cloud-VPS board.Nov 10 2019, 11:45 PM
Bstorm changed the task status from Stalled to Open.Dec 18 2019, 4:13 PM
Bstorm moved this task from Blocked to Inbox on the cloud-services-team (Kanban) board.
fnegri edited projects, added cloud-services-team; removed cloud-services-team (Kanban).Jan 18 2023, 7:33 PM
fnegri moved this task from Kanban to Inbox on the cloud-services-team board.
dcaro moved this task from Ready to be worked on to Workspace for triaging whenever needed on the Toolforge board.Jan 24 2024, 2:53 PM
taavi subscribed.Feb 13 2024, 2:30 PM

I think I'd like to have toolforge.org DNSSEC signed before implementing this.

dcaro moved this task from Workspace for triaging whenever needed to Ready to be worked on on the Toolforge board.Feb 21 2024, 4:03 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits