SSH rootkey configuration is too open #16

Closed
arlimus opened this Issue Jun 5, 2014 · 3 comments

Comments

Projects
None yet
4 participants
@arlimus
Member

arlimus commented Jun 5, 2014

ssh keys for root are supported in the manner that fnichol/chef-user works. However, it has a bug: it pulls in users that aren't active.

We have a choice to make for 1.0 release: Either support ssh root keys fully, with the active users configuration of chef-user, or remove this support entirely.

Adding rootkey configuration in this manner is a 2year-old workaround to configure a server with keys for user root. We have to decide if this is still in scope of hardening. Feedback welcome.

@bkw

This comment has been minimized.

Show comment
Hide comment
@bkw

bkw Oct 14, 2014

Contributor

I'd vote for removing the root key support alltogether. I've had good results with a combination of the users and sudo cookbooks to configure admin access. The only times when I only even touched the user bag for this cookbook was by creating an empty bag because the cookbook insists on the bloody thing to exist in the first place (PR fixing that coming up next).

I also would not expect a hardening cookbook to manage authorized_keys, except for fixing its permissions or removing non-compliant entries or that kind of stuff.

my 2ct anyway.

Contributor

bkw commented Oct 14, 2014

I'd vote for removing the root key support alltogether. I've had good results with a combination of the users and sudo cookbooks to configure admin access. The only times when I only even touched the user bag for this cookbook was by creating an empty bag because the cookbook insists on the bloody thing to exist in the first place (PR fixing that coming up next).

I also would not expect a hardening cookbook to manage authorized_keys, except for fixing its permissions or removing non-compliant entries or that kind of stuff.

my 2ct anyway.

@chris-rock

This comment has been minimized.

Show comment
Hide comment
@chris-rock

chris-rock Oct 14, 2014

Member

From my perspective, we should be focussing on ssh. The current setup is confusing for users (I had discussions about this topic). Instead we should remove this support and ensure that it works well with the other user management modules like fnichol/chef-user. +1 from my side

Member

chris-rock commented Oct 14, 2014

From my perspective, we should be focussing on ssh. The current setup is confusing for users (I had discussions about this topic). Instead we should remove this support and ensure that it works well with the other user management modules like fnichol/chef-user. +1 from my side

@chris-rock

This comment has been minimized.

Show comment
Hide comment
@chris-rock

chris-rock Oct 14, 2014

Member

Since this is a breaking change, we should schedule it for the next version. As an intermediate solution, we should add a deprecation warning.

Member

chris-rock commented Oct 14, 2014

Since this is a breaking change, we should schedule it for the next version. As an intermediate solution, we should add a deprecation warning.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment