Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Put the secure into secure shell #7278
Conversation
|
The PR description makes it seem like this PR also fixes https://bugs.launchpad.net/juju/+bug/1579593. Is that right? |
Indeed :) |
mjs
approved these changes
Apr 27, 2017
TYVM for doing this. No more scary/confusing/embarrassing SSH key errors on bootstrap!
Just a few little things.
| + } else { | ||
| + cfg.UnsetAttr("ssh_keys") | ||
| + } | ||
| +} |
mjs
Apr 27, 2017
Contributor
This is oddly indirect. What about just this?
func (cfg *cloudConfig) SetSSHKeys(keys SSHKeys) {
if keys.RSA != nil {
cfg.SetAttr("ssh_keys", map[string]interface{}{
string(RSAPrivate): keys.RSA.Private,
string(RSAPublic): keys.RSA.Public,
})
} else {
cfg.UnsetAttr("ssh_keys")
}
}
axw
Apr 27, 2017
Member
The idea was the make room for other key types, but you're right. I'll just keep it simple and we can expand later if needed.
| + | ||
| + // Public contains the public key in authorized_keys format. | ||
| + Public string | ||
| +} |
mjs
Apr 27, 2017
Contributor
Why the 2 nearly identical set of types? (the others in cloudconfig/cloudinit/interface.go)
It feels like these should be defined once somewhere.
axw
Apr 27, 2017
Member
Because (a) I want cloudconfig/cloudinit to be self-contained, and (b) instancecfg is meant to be independent of the delivery mechanism, and so shouldn't depend on cloudconfig/cloudinit. Eventually I'd like to split cloudconfig/cloudinit into a separate package, because most of it's not Juju-specific.
|
Just investigating a potential issue with RackSpace, which uses WaitSSH. I think we may have to relax host key checks there initially. |
It would be a problem, except the firewalling code doesn't even work: https://bugs.launchpad.net/juju/+bug/1536447. I'll go ahead and merge this, and that can be fixed later. We really shouldn't be relying on SSH to manage firewalls; we should introduce a machine-level worker that manages iptables. |
|
$$merge$$ |
|
Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju |
|
Build failed: Tests failed |
|
$$merge$$ |
|
Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju |
|
Build failed: Generating tarball failed |
|
$$merge$$ |
|
Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju |
|
Build failed: Tests failed |
|
$$merge$$ |
|
Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju |
|
Build failed: Tests failed |
|
$$merge$$ |
|
Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju |
axw commentedApr 26, 2017
•
Edited 1 time
-
axw
Apr 26, 2017
Description of change
Up until now, Juju bootstrap has had an insecure
initial SSH connection. The client had no way of
knowing the server's host key, and so strict
host key checking was disabled.
This branch does two main things:
defaults strict host key checking to "ask"
(unless overridden in OpenSSH client config)
for both the golang.org/x/crypto and openssh
implementations
the created server via cloud-init, then uses
the public key to perform strict host key
checking. The key is regenerated server-side
as the first thing the initial SSH connection
does, so that user code deployed to controllers
cannot sniff the keys from metadata services.
QA steps
Repeat with "ssh" removed from $PATH. There should be no warnings about SSH host keys changing, nor warnings about host keys being added to known_hosts.
Documentation changes
There is one change for users: on Windows, manual provisioning will now prompt the user to verify host SSH keys.
Bug reference
Fixes https://bugs.launchpad.net/juju/+bug/1683099
Fixes https://bugs.launchpad.net/juju/+bug/1579593