Put the secure into secure shell #7278
Conversation
|
The PR description makes it seem like this PR also fixes https://bugs.launchpad.net/juju/+bug/1579593. Is that right? |
Indeed :) |
cloudconfig/cloudinit/cloudinit.go
Outdated
| } else { | ||
| cfg.UnsetAttr("ssh_keys") | ||
| } | ||
| } |
There was a problem hiding this comment.
This is oddly indirect. What about just this?
func (cfg *cloudConfig) SetSSHKeys(keys SSHKeys) {
if keys.RSA != nil {
cfg.SetAttr("ssh_keys", map[string]interface{}{
string(RSAPrivate): keys.RSA.Private,
string(RSAPublic): keys.RSA.Public,
})
} else {
cfg.UnsetAttr("ssh_keys")
}
}There was a problem hiding this comment.
The idea was the make room for other key types, but you're right. I'll just keep it simple and we can expand later if needed.
|
|
||
| // Public contains the public key in authorized_keys format. | ||
| Public string | ||
| } |
There was a problem hiding this comment.
Why the 2 nearly identical set of types? (the others in cloudconfig/cloudinit/interface.go)
It feels like these should be defined once somewhere.
There was a problem hiding this comment.
Because (a) I want cloudconfig/cloudinit to be self-contained, and (b) instancecfg is meant to be independent of the delivery mechanism, and so shouldn't depend on cloudconfig/cloudinit. Eventually I'd like to split cloudconfig/cloudinit into a separate package, because most of it's not Juju-specific.
axw
force-pushed
the
ssh-stricthostkeychecking
branch
from
eb855ec
to
98badd5
Compare
|
Just investigating a potential issue with RackSpace, which uses WaitSSH. I think we may have to relax host key checks there initially. |
It would be a problem, except the firewalling code doesn't even work: https://bugs.launchpad.net/juju/+bug/1536447. I'll go ahead and merge this, and that can be fixed later. We really shouldn't be relying on SSH to manage firewalls; we should introduce a machine-level worker that manages iptables. |
axw
force-pushed
the
ssh-stricthostkeychecking
branch
from
98badd5
to
f24cbdf
Compare
|
|
|
Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju |
|
Build failed: Tests failed |
axw
force-pushed
the
ssh-stricthostkeychecking
branch
from
f24cbdf
to
826ca1d
Compare
|
|
|
Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju |
|
Build failed: Generating tarball failed |
axw
force-pushed
the
ssh-stricthostkeychecking
branch
from
826ca1d
to
1d4b42a
Compare
|
|
|
Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju |
|
Build failed: Tests failed |
axw
force-pushed
the
ssh-stricthostkeychecking
branch
from
1d4b42a
to
dd3de5f
Compare
|
|
|
Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju |
|
Build failed: Tests failed |
Up until now, Juju bootstrap has had an insecure initial SSH connection. The client had no way of knowing the server's host key, and so strict host key checking was disabled. This branch does two main things: - updates to the new juju/utils version which defaults strict host key checking to "ask" (unless overridden in OpenSSH client config) for both the golang.org/x/crypto and openssh implementations - generates and injects an SSH host key into the created server via cloud-init, then use the public key to perform strict host key checking. The key is regenerated server-side as the first thing the initial SSH connection does, so that user code deployed to controllers cannot sniff the keys from metadata services. Fixes https://bugs.launchpad.net/juju/+bug/1683099
axw
force-pushed
the
ssh-stricthostkeychecking
branch
from
dd3de5f
to
f189117
Compare
|
|
|
Status: merge request accepted. Url: http://juju-ci.vapour.ws:8080/job/github-merge-juju |
Description of change
Up until now, Juju bootstrap has had an insecure
initial SSH connection. The client had no way of
knowing the server's host key, and so strict
host key checking was disabled.
This branch does two main things:
defaults strict host key checking to "ask"
(unless overridden in OpenSSH client config)
for both the golang.org/x/crypto and openssh
implementations
the created server via cloud-init, then uses
the public key to perform strict host key
checking. The key is regenerated server-side
as the first thing the initial SSH connection
does, so that user code deployed to controllers
cannot sniff the keys from metadata services.
QA steps
Repeat with "ssh" removed from $PATH. There should be no warnings about SSH host keys changing, nor warnings about host keys being added to known_hosts.
Documentation changes
There is one change for users: on Windows, manual provisioning will now prompt the user to verify host SSH keys.
Bug reference
Fixes https://bugs.launchpad.net/juju/+bug/1683099
Fixes https://bugs.launchpad.net/juju/+bug/1579593