Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support setting both password and ssh key on user #13

Closed
labrown opened this issue Aug 4, 2017 · 7 comments · Fixed by #40
Closed

Support setting both password and ssh key on user #13

labrown opened this issue Aug 4, 2017 · 7 comments · Fixed by #40

Comments

@labrown
Copy link

labrown commented Aug 4, 2017

I need to set both a password and ssh key on a user to meet security requirements in my environment.
@dpb587-pivotal
Copy link
Contributor

This seems like a very odd security requirement. Out of curiosity, can you explain more the rationale behind the requirement?

Technically it should be possible. Feel free to make a pull request and we can give it a look.

@jhunt jhunt mentioned this issue May 21, 2018
Closed
@jhunt
Copy link

jhunt commented May 21, 2018

Just ran into this bug.

My use case is to add a failsafe user for troubleshooting the IaaS layer. Sometimes, BOSH spins up a VM that cannot talk back to the director via the agent, either because of poor configuration, an intervening firewall, the will of the gods, etc. When that happens, you've got ten minutes before BOSH times out waiting and terminates the VM.

In some IaaS cloud providers, every instance is provided with an SSH key, and if you can't get there via networking, there's no recourse. Normally, however, those IaaSes provide you with the ability to manage firewalls, so any network SSH connectivity problems are yours to own.

On vSphere, however, it's quite common to have network issues because of a team that isn't you. I've often had access to the vCenter VM virtual console, to login with a username / password, but been unable to SSH over the network. In these cases, an SSH key does me no good.

Ideally, with both SSH and password auth, the password would only be used on local TTY login, not over SSH; the key would be the only way "in" from the network. If that can't / shouldn't happen automatically, I'd be fine with a mode setting for manually enforcing that behavior.

I'd be happy to work up a PR for this if the behavior is acceptable to the maintainers.

@jhunt
Copy link

jhunt commented Jun 5, 2018

Any update on this?

matthewfischer added a commit to matthewfischer/os-conf-release that referenced this issue Feb 23, 2019
@matthewfischer
Allow users to have passwords and keys
7bc5688 
There are a variety of use cases for this, with one of the more common
ones being security scanning tools flag users with no passwords as a
security risk.

Closes: cloudfoundry#13
@matthewfischer matthewfischer mentioned this issue Feb 24, 2019
Merged
@calebwashburn calebwashburn mentioned this issue Feb 25, 2019
Closed
@dpb587-pivotal
Copy link
Contributor

Revisiting from PR #40 which looks like it will solve the original description.

@jhunt sorry we dropped the conversation here. One thing to keep in mind is that this is a release so it will only ever be effective assuming the VM has successfully been talking to director such that director is able to give it the job and configuration. This doesn't help in the scenarios you mention around VM's initial startup and firewall issues. For that sort of debugging, the env.bosh.authorized_keys setting can be helpful which gets added to vcap's authorized_keys file.

@jhunt
Copy link

jhunt commented May 8, 2019

It doesn't help with initial connectivity problems, but it does help when your security teams unilaterally start blocking traffic to "non-standard ports" like the ones BOSH and its agents use to communicate.

@jaresty
Copy link
Contributor

jaresty commented May 8, 2019

@jhunt The next release of os-conf-release should support this use case.

@jhunt
Copy link

jhunt commented May 8, 2019

@jhunt The next release of os-conf-release should support this use case.

Glad to hear it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow users to have passwords and keys matthewfischer/os-conf-release
4 participants
@jhunt @labrown @jaresty @dpb587-pivotal