Page MenuHomePhabricator
Create Task
Maniphest T172333

Scap: keyholder Too many authentication failures
Closed, ResolvedPublic
Actions

Description

scap uses ssh keys inside keyholder serially to request access to targets. The number of keys in an agent is limited by MaxAuthTries which is a security feature in sshd_config(5) that limits the number of authentication attempts per connection.

We've upped the limit of MaxAuthTries once, but a fix inside scap would be ideal.

Details

SubjectRepoBranchLines +/-
Specify keyholder_key in global scap.cfgoperations/puppetproduction+1 -0
Revert "Revert "Revert "sshd_config: Increase MaxAuthTries"""operations/puppetproduction+0 -14
Remove the dsh-targets file and use the dsh group.mediawiki/services/parsoid/deploymaster+2 -43
Revert "Revert "sshd_config: Increase MaxAuthTries""operations/puppetproduction+14 -0
Revert "sshd_config: Increase MaxAuthTries"operations/puppetproduction+0 -14
Force the ssh key to be used by scapoperations/software/librenmsmaster+1 -0
keyholder: public keys publicly readableoperations/puppetproduction+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

thcipriani created this task.Aug 2 2017, 10:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 2 2017, 10:09 PM
thcipriani claimed this task.Aug 2 2017, 10:10 PM
thcipriani triaged this task as Medium priority.
thcipriani added a project: Release-Engineering-Team (Kanban).
thcipriani moved this task from Needs triage to Debt on the Scap board.
Paladox subscribed.Aug 2 2017, 10:11 PM
gerritbot subscribed.Aug 3 2017, 12:30 AM

Change 369817 had a related patch set uploaded (by Thcipriani; owner: Thcipriani):
[operations/puppet@production] keyholder: public keys publicly readable

https://gerrit.wikimedia.org/r/369817

gerritbot added a project: Patch-For-Review.Aug 3 2017, 12:30 AM
demon added a parent task: T157414: Deploy gerrit with scap3.Aug 3 2017, 4:06 PM
gerritbot added a comment.Aug 3 2017, 4:10 PM

Change 369817 merged by Filippo Giunchedi:
[operations/puppet@production] keyholder: public keys publicly readable

https://gerrit.wikimedia.org/r/369817

greg moved this task from Backlog to In-progress on the Release-Engineering-Team (Kanban) board.Aug 23 2017, 4:55 PM
thcipriani closed this task as Resolved.Sep 6 2017, 2:06 PM

Now that scap 3.7.0-1 is live, this should be fixed. To use a specific keyholder key, use the keyholder_key configuration value with the value that is the same as key_name for scap::target in puppet. e.g., for gerrit:

jetty.pp
scap::target { 'gerrit/gerrit':
  deploy_user: 'gerrit2',
  key_name: 'gerrit',
}
gerrit/scap/scap.cfg
keyholder_key: gerrit

To test that a key is working with keyholder before deployment use the ssh command:

SSH_AUTH_SOCK=/run/keyholder/proxy.sock ssh -v -o BatchMode=yes -o User=[username] -o IdentitiesOnly=yes -o IdentityFile=/etc/keyholder.d/[keyname].pub [hostname]
gerritbot added a comment.Sep 8 2017, 3:03 PM

Change 376734 had a related patch set uploaded (by Alexandros Kosiaris; owner: Alexandros Kosiaris):
[operations/software/librenms@master] Force the ssh key to be used by scap

https://gerrit.wikimedia.org/r/376734

gerritbot added a comment.Sep 8 2017, 3:05 PM

Change 376734 merged by Alexandros Kosiaris:
[operations/software/librenms@master] Force the ssh key to be used by scap

https://gerrit.wikimedia.org/r/376734

gerritbot added a comment.Sep 8 2017, 3:15 PM

Change 376735 had a related patch set uploaded (by Alexandros Kosiaris; owner: Alexandros Kosiaris):
[operations/puppet@production] Revert "sshd_config: Increase MaxAuthTries"

https://gerrit.wikimedia.org/r/376735

gerritbot added a comment.Sep 11 2017, 10:07 AM

Change 376735 merged by Alexandros Kosiaris:
[operations/puppet@production] Revert "sshd_config: Increase MaxAuthTries"

https://gerrit.wikimedia.org/r/376735

gerritbot added a comment.Sep 11 2017, 2:19 PM

Change 377268 had a related patch set uploaded (by Alexandros Kosiaris; owner: Alexandros Kosiaris):
[operations/puppet@production] Revert "Revert "sshd_config: Increase MaxAuthTries""

https://gerrit.wikimedia.org/r/377268

gerritbot added a comment.Sep 11 2017, 2:20 PM

Change 377268 merged by Alexandros Kosiaris:
[operations/puppet@production] Revert "Revert "sshd_config: Increase MaxAuthTries""

https://gerrit.wikimedia.org/r/377268

gerritbot added a comment.Sep 11 2017, 2:21 PM

Change 377269 had a related patch set uploaded (by Alexandros Kosiaris; owner: Alexandros Kosiaris):
[operations/puppet@production] Revert "Revert "Revert "sshd_config: Increase MaxAuthTries"""

https://gerrit.wikimedia.org/r/377269

greg mentioned this in T175576: Investigate today's EU SWAT scap & infrastructure issues.Sep 11 2017, 10:14 PM
gerritbot added a comment.Sep 14 2017, 8:46 AM

Change 377966 had a related patch set (by Alexandros Kosiaris) published:
[mediawiki/services/parsoid/deploy@master] Remove the dsh-targets file and use the dsh group. That file is automatically generated from confd and is guaranteed to be up to date, which is not the case for the dsh-targets file.

https://gerrit.wikimedia.org/r/377966

gerritbot added a comment.Sep 14 2017, 8:59 AM

Change 377966 merged by Alexandros Kosiaris:
[mediawiki/services/parsoid/deploy@master] Remove the dsh-targets file and use the dsh group.

https://gerrit.wikimedia.org/r/377966

Arlolra mentioned this in T176184: Check 'depool' failed while deploying.Sep 18 2017, 10:24 PM
gerritbot added a comment.Sep 25 2017, 1:40 PM

Change 380503 had a related patch set uploaded (by Alexandros Kosiaris; owner: Alexandros Kosiaris):
[operations/puppet@production] Specify keyholder_key in global scap.cfg

https://gerrit.wikimedia.org/r/380503

Phabricator_maintenance edited projects, added RelEng-Archive-FY201718-Q1; removed Release-Engineering-Team (Kanban).Sep 26 2017, 11:44 PM
gerritbot added a comment.May 13 2019, 10:20 AM

Change 377269 merged by Alexandros Kosiaris:
[operations/puppet@production] Revert "Revert "Revert "sshd_config: Increase MaxAuthTries"""

https://gerrit.wikimedia.org/r/377269

akosiaris added a comment.May 13 2019, 10:52 AM

https://gerrit.wikimedia.org/r/#/c/operations/puppet/+/377269/ had fallen through the cracks. It's now merged, right before a SWAT window, in order to identify issues as fast as possible

gerritbot added a comment.Jul 1 2019, 1:08 PM

Change 380503 abandoned by Alexandros Kosiaris:
Specify keyholder_key in global scap.cfg

https://gerrit.wikimedia.org/r/380503

mmodell subscribed.Oct 25 2019, 8:33 PM

This is happening to me on phab1001 now and phab's scap::target includes the requisite part:

scap::target { $deploy_target:
    deploy_user => $deploy_user,
    key_name    => 'phabricator',

Am I missing something? Does this need to be reopened? For some reason I never hit that error ("Too many authentication failures") with phabricator scap deployments until now.

Dzahn reopened this task as Open.Oct 25 2019, 10:11 PM
thcipriani added a comment.Oct 28 2019, 9:38 PM
In T172333#5607532, @mmodell wrote:

This is happening to me on phab1001 now and phab's scap::target includes the requisite part:

scap::target { $deploy_target:
    deploy_user => $deploy_user,
    key_name    => 'phabricator',

Am I missing something? Does this need to be reopened? For some reason I never hit that error ("Too many authentication failures") with phabricator scap deployments until now.

Do you have keyholder_key in your scap.cfg? IIRC, it tries to use a key named after your ssh-user if keyholder_key isn't set.

mmodell closed this task as Resolved.Oct 28 2019, 10:45 PM

So I'm dumb. I had keyholder_key set in puppet but not in the scap.cfg in the deployment repo. False alarm, sorry! (Tested it, works now)

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL