Page MenuHomePhabricator
Create Task
Maniphest T148273

Setup SSH AuthN/AuthZ for the Automation Framework
Closed, ResolvedPublic
Actions

Description

Tracking task for the SSH AuthN/AuthZ setup for the Automation Framework.

All the evaluation and testing is currently been done in the Labs project automation-framework.

Details

SubjectRepoBranchLines +/-
keyholder: add support for SHA256 key fingerprintsoperations/puppetproduction+6 -2
keyholder: fix flake8operations/puppetproduction+3 -2
keyholder: be systemd compatibleoperations/puppetproduction+1 -1
Customize query in gerrit

Event Timeline

Volans created this task.Oct 15 2016, 7:37 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 15 2016, 7:37 AM
gerritbot subscribed.Oct 31 2016, 3:26 PM

Change 318941 had a related patch set uploaded (by Volans):
keyholder: be systemd compatible

https://gerrit.wikimedia.org/r/318941

gerritbot added a project: Patch-For-Review.Oct 31 2016, 3:26 PM

Change 318942 had a related patch set uploaded (by Volans):
keyholder: fix flake8

https://gerrit.wikimedia.org/r/318942

gerritbot added a comment.Oct 31 2016, 3:26 PM

Change 318943 had a related patch set uploaded (by Volans):
keyholder: add support for SHA256 key fingerprints

https://gerrit.wikimedia.org/r/318943

gerritbot added a comment.Nov 2 2016, 3:36 PM

Change 318941 merged by Volans:
keyholder: be systemd compatible

https://gerrit.wikimedia.org/r/318941

gerritbot added a comment.Nov 2 2016, 3:38 PM

Change 318942 merged by Volans:
keyholder: fix flake8

https://gerrit.wikimedia.org/r/318942

gerritbot added a comment.Nov 2 2016, 3:39 PM

Change 318943 merged by Volans:
keyholder: add support for SHA256 key fingerprints

https://gerrit.wikimedia.org/r/318943

Volans triaged this task as Medium priority.Nov 22 2016, 12:02 PM
Volans closed this task as Resolved.Dec 5 2016, 5:19 PM

The best option investigated was to use an SSH CA that is authorized across the fleet, create and sign a short-lived certificate for each interaction. This solution has been tested and works fine, but depends on upstream openssh accepting a patch, see the upstream bug and the PR on GitHub. The Puppet code and a small script to generate signed keys on demand from Python are ready to be used if/when the patch will be accepted upstream.

For now a normal SSH key armed with keyholder and with limited authorization on the target hosts will be used instead to not be blocked by this.
Resolving it for now.

Volans moved this task from In Progress to In Code Review on the SRE-tools board.Mar 30 2017, 2:39 PM
Volans moved this task from In Code Review to Done on the SRE-tools board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL