-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support setting both password and ssh key on user #13
Comments
This seems like a very odd security requirement. Out of curiosity, can you explain more the rationale behind the requirement? Technically it should be possible. Feel free to make a pull request and we can give it a look. |
Just ran into this bug. My use case is to add a failsafe user for troubleshooting the IaaS layer. Sometimes, BOSH spins up a VM that cannot talk back to the director via the agent, either because of poor configuration, an intervening firewall, the will of the gods, etc. When that happens, you've got ten minutes before BOSH times out waiting and terminates the VM. In some IaaS cloud providers, every instance is provided with an SSH key, and if you can't get there via networking, there's no recourse. Normally, however, those IaaSes provide you with the ability to manage firewalls, so any network SSH connectivity problems are yours to own. On vSphere, however, it's quite common to have network issues because of a team that isn't you. I've often had access to the vCenter VM virtual console, to login with a username / password, but been unable to SSH over the network. In these cases, an SSH key does me no good. Ideally, with both SSH and password auth, the password would only be used on local TTY login, not over SSH; the key would be the only way "in" from the network. If that can't / shouldn't happen automatically, I'd be fine with a I'd be happy to work up a PR for this if the behavior is acceptable to the maintainers. |
Any update on this? |
There are a variety of use cases for this, with one of the more common ones being security scanning tools flag users with no passwords as a security risk. Closes: cloudfoundry#13
Revisiting from PR #40 which looks like it will solve the original description. @jhunt sorry we dropped the conversation here. One thing to keep in mind is that this is a release so it will only ever be effective assuming the VM has successfully been talking to director such that director is able to give it the job and configuration. This doesn't help in the scenarios you mention around VM's initial startup and firewall issues. For that sort of debugging, the |
It doesn't help with initial connectivity problems, but it does help when your security teams unilaterally start blocking traffic to "non-standard ports" like the ones BOSH and its agents use to communicate. |
@jhunt The next release of os-conf-release should support this use case. |
Glad to hear it! |
I need to set both a password and ssh key on a user to meet security requirements in my environment.
The text was updated successfully, but these errors were encountered: