Page MenuHomePhabricator
Create Task
Maniphest T142216

Enable root passwords on Labs VMs
Closed, ResolvedPublic
Actions

Description

In order to make spice consoles useful, we need passwords. Consoles will only be enabled for people with the 'admin' role, and passwords will be stored on a production host (labcontrol) to restrict access to Ops.

Proposed steps:

  1. Puppet run on a VM checks to see if there's already a root password set. If not, it generates a random password and sets it.
  2. Puppet encrypts the password and writes the encrypted password to the puppet log
  3. The puppet master (via a custom 'report') notices the encrypted password and stores it (possibly just by catting to a flat file)
  4. A script on the puppetmaster will take a hostname as an argument and return the decrypted password

Questions:

a) Is it actually useful to encrypt the passwords before passing them to the puppetmaster? Who would be in a position to intercept them?
b) How should the encrypting/decrypting actually happen? I imagine that we'd have a public key (for encrypting) on the labs instances and a private key (for decrypting) on the puppetmaster. But maybe it doesn't work like that?

Details

SubjectRepoBranchLines +/-
Don't install root password if has_admin = falseoperations/puppetproduction+1 -1
Fixups for labs password generation:operations/puppetproduction+2 -0
Temporarily remove the code to generate labs root passwords.operations/puppetproduction+0 -5
Labs: Generate/store root passwords for instancesoperations/puppetproduction+58 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Andrew created this task.Aug 5 2016, 3:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 5 2016, 3:07 PM
MoritzMuehlenhoff subscribed.Aug 5 2016, 3:08 PM
Danny_B added a project: Cloud-Services.Aug 5 2016, 3:27 PM
MoritzMuehlenhoff added a project: SRE.Aug 8 2016, 1:32 PM
MoritzMuehlenhoff added a comment.Aug 8 2016, 1:45 PM

We could implement this as such: Initially we need to create a PGP key for the encrypted passwords. The public key would be distributed to the VMs via puppet. The secret key would be stashed in pwstore. Whether to use a passphrase depends on 4), who would run that script and how often?

The freshly generated password would be encrypted by puppet with the public key. This is reliable and secure as long as we don't leak the secret key. For step 4 the script on the puppetmaster needs to have access to the secret key, which it uses to decrypt the password (as correctly described in b).

tom29739 subscribed.Aug 8 2016, 1:46 PM
Andrew added a comment.Aug 8 2016, 2:46 PM

@MoritzMuehlenhoff -- that sounds just like what I was envisioning. Would you be willing to spoon-feed me the commands I need (e.g. generating a key, encrypting/decrypting, etc)?

faidon subscribed.Aug 8 2016, 2:52 PM

Generating the root password locally and passing the (encrypted) root password over the puppet logs doesn't sound that great to me.

Why wouldn't we generate the cleartext password on the puppetmaster instead, then hash it with mkpasswd and pass it to the agent to set /etc/shadow with it as-is, without the agent ever knowing the cleartext?

It should be trivial to do that kind of thing with a parser function or even generate(). Am I missing one of the requirements perhaps?

Andrew added a comment.Aug 8 2016, 2:56 PM

@faidon, my design was based on things I already know how to do :) You're suggesting puppet gymnastics that I don't have any experience with, can you be more specific?

(Also, for what it's worth, I don't quite understand how the danger of leaking the root password on a VM to the root account on that VM is a security risk, since... anyone with root can just reset the password on a whim anyway.)

valhallasw subscribed.Aug 8 2016, 3:11 PM
faidon added a comment.Aug 8 2016, 3:17 PM

So, a simple way to do this would be:

user { 'root':
    password => generate('/usr/local/bin/password_for_labs', $fqdn)
}

Where /usr/local/bin/password_for_labs could be a script in the puppetmaster with the following contents (untested, proof of concept):

#!/bin/sh
INSTANCE=$1
if [ -f /var/cache/root-passwords/$INSTANCE ]; then
  PASSWORD=$(cat /var/cache/root-passwords/$INSTANCE)
else
  PASSWORD=$(pwgen -sy -N 1)
  umask 027
  echo $PASSWORD > /var/cache/root-passwords/$INSTANCE
fi
mkpasswd -m sha-512 $PASSWORD

A more complicated, potentially nicer way to do this would be to write a better script than a dummy shell script, possibly encrypt the passwords on local storage e.g. with a PGP key, and possibly use a parser function (of which we have plenty in the ops/puppet repo) instead of generate().

faidon added a comment.Aug 8 2016, 3:40 PM

BTW, trocla (and puppet-trocla) might also be of interest here. I haven't given it a close look, but it might be worth to give it one for this and other use cases.

Andrew added a comment.Aug 8 2016, 7:21 PM

Oh, I did not know about generate() -- that's clearly better than what I was imagining.

Encryption-wise... I can't convince myself that it's useful. Root access to the puppetmaster already compromises all instance security, so maybe the extra complication (both in writing and in retrieving passwords) is not worth it.

gerritbot subscribed.Aug 8 2016, 7:52 PM

Change 303617 had a related patch set uploaded (by Andrew Bogott):
Create root passwords for labs instances and store passwords on the puppetmaster

https://gerrit.wikimedia.org/r/303617

Andrew mentioned this in rOPUP0bbf031e57cc: Create root passwords for labs instances and store passwords on the puppetmaster.Aug 8 2016, 7:56 PM
Andrew mentioned this in rOPUPc454b45c1c5b: Create root passwords for labs instances and store passwords on the puppetmaster.Aug 8 2016, 8:02 PM
Andrew mentioned this in rOPUPa880ce5c07c6: Create root passwords for labs instances and store passwords on the puppetmaster.
Andrew mentioned this in rOPUP34dd36831d88: Labs: Generate/store root passwords for instances.Aug 9 2016, 3:24 PM
Andrew mentioned this in rOPUP07f072c0088f: Labs: Generate/store root passwords for instances.Aug 9 2016, 4:15 PM
gerritbot added a comment.Aug 9 2016, 4:55 PM

Change 303617 merged by Andrew Bogott:
Labs: Generate/store root passwords for instances

https://gerrit.wikimedia.org/r/303617

Andrew mentioned this in rOPUP8316f4a5d3a0: Labs: Generate/store root passwords for instances.Aug 9 2016, 5:01 PM
gerritbot added a comment.Aug 9 2016, 5:10 PM

Change 303826 had a related patch set uploaded (by Andrew Bogott):
Include 'whois' package for mkpasswd

https://gerrit.wikimedia.org/r/303826

gerritbot added a comment.Aug 9 2016, 5:15 PM

Change 303828 had a related patch set uploaded (by Andrew Bogott):
Temporarily remove the code to generate labs root passwords.

https://gerrit.wikimedia.org/r/303828

Andrew mentioned this in rOPUPaf225483ed4c: Include 'whois' package for mkpasswd.Aug 9 2016, 5:16 PM
gerritbot added a comment.Aug 9 2016, 5:16 PM

Change 303828 merged by Andrew Bogott:
Temporarily remove the code to generate labs root passwords.

https://gerrit.wikimedia.org/r/303828

Andrew mentioned this in rOPUP1d613cbef2bf: Temporarily remove the code to generate labs root passwords..Aug 9 2016, 5:21 PM
Andrew mentioned this in rOPUP2f0466b6652f: Include 'whois' package for mkpasswd.
gerritbot added a comment.Aug 9 2016, 5:22 PM

Change 303829 had a related patch set uploaded (by Andrew Bogott):
Don't install root password if has_admin = false

https://gerrit.wikimedia.org/r/303829

Andrew mentioned this in rOPUP6eb5f2449fa6: Don't install root password if has_admin = false.Aug 9 2016, 5:26 PM
Andrew mentioned this in rOPUP789bdb5dc6ba: Include 'whois' package for mkpasswd.
gerritbot added a comment.Aug 9 2016, 6:13 PM

Change 303829 merged by Andrew Bogott:
Don't install root password if has_admin = false

https://gerrit.wikimedia.org/r/303829

gerritbot added a comment.Aug 9 2016, 6:18 PM

Change 303826 merged by Andrew Bogott:
Fixups for labs password generation:

https://gerrit.wikimedia.org/r/303826

Andrew mentioned this in rOPUPd02163088d35: Fixups for labs password generation:.Aug 9 2016, 6:21 PM
Andrew mentioned this in rOPUPf976e90e2862: Fixups for labs password generation:.
Andrew closed this task as Resolved.Aug 9 2016, 9:20 PM
Andrew reopened this task as Open.Aug 9 2016, 10:04 PM
Andrew added a subtask: T142531: Don't set instance root passwords if using a local puppetmaster.
Andrew closed this task as Resolved.Sep 1 2016, 6:58 PM

This is done now. Passwords are per-project, and located in var/local/labs-root-passwords/ on the labs puppetmaster (currently labcontrol1001).

Andrew closed subtask T142531: Don't set instance root passwords if using a local puppetmaster as Resolved.Sep 9 2016, 5:14 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL