Make a group blacklist for ssh key changes
Open, LowPublic
Actions

Assigned To

None

Authored By

	RyanLane
	Feb 23 2012, 7:43 PM

Description

It's not very ideal for admins to be able to change their ssh key via the web interface, since it can then be used to impersonate high-privilege users in other places. We should have a LocalSettings.php config option for blacklisting specific groups from changing their own SSH key.

Version: unspecified
Severity: normal

Details

Reference: bz34651

Event Timeline

• bzimport raised the priority of this task from to Low.Nov 22 2014, 12:10 AM

• bzimport added a project: MediaWiki-extensions-OpenStackManager.

• bzimport set Reference to bz34651.

RyanLane created this task.Feb 23 2012, 7:43 PM

Even better, rather than a blacklist in OpenStackManager, we should add an ACI to the LDAP server that denies the OpenStackManager user from updating users in specific groups.

Aklapper removed RyanLane as the assignee of this task.Apr 26 2015, 12:12 PM

Krenair added projects: LDAP, acl*sre-team.Jun 11 2015, 5:25 PM

Krenair subscribed.

• Phabricator_maintenance moved this task from Backlog to Acknowledged on the SRE board.Jan 26 2019, 7:47 PM

It's not very ideal for admins to be able to change their ssh key via the web interface, since it can then be used to impersonate high-privilege users in other places. W

Is this still valid and if so can you expand. it seems to me that if a user is able to login to the wikitech then they can login to horizon and thus console directly to any owned VM's im missing what additional access th e user has by bing able to change the ssh key.

Make a group blacklist for ssh key changesOpen, LowPublicActions

Description

Details

Event Timeline

Make a group blacklist for ssh key changes
Open, LowPublic
Actions