Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
SSH rootkey configuration is too open #16
ssh keys for root are supported in the manner that fnichol/chef-user works. However, it has a bug: it pulls in users that aren't active.
We have a choice to make for 1.0 release: Either support ssh root keys fully, with the active users configuration of chef-user, or remove this support entirely.
Adding rootkey configuration in this manner is a 2year-old workaround to configure a server with keys for user root. We have to decide if this is still in scope of hardening. Feedback welcome.
I'd vote for removing the root key support alltogether. I've had good results with a combination of the
I also would not expect a hardening cookbook to manage authorized_keys, except for fixing its permissions or removing non-compliant entries or that kind of stuff.
my 2ct anyway.
From my perspective, we should be focussing on ssh. The current setup is confusing for users (I had discussions about this topic). Instead we should remove this support and ensure that it works well with the other user management modules like fnichol/chef-user. +1 from my side