Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow ssh between saluser@tel-lt1.tu and saluser@tel-hw1.tu #652

Merged
merged 9 commits into from
Sep 14, 2022
Merged

allow ssh between saluser@tel-lt1.tu and saluser@tel-hw1.tu #652

merged 9 commits into from
Sep 14, 2022

Conversation

jhoblitt
Copy link
Member

@jhoblitt jhoblitt commented Sep 9, 2022

Additionally, krb5 keytab values have been converted from String to Sensitive[String] as a first step towards more considerate handling of secrets.

See: https://puppet.com/docs/puppet/7/securing-sensitive-data.html

Related to https://github.com/lsst-it/lsst-puppet-hiera-private/pull/75

cbarria
cbarria reviewed Sep 13, 2022
View reviewed changes
Copy link
Contributor

@cbarria cbarria left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this to hold more secured data inside the configuration? (such as keys?)

@jhoblitt
Copy link
Member Author

The puppet Sensitive variant type is used to wrap other types and requires an explicit unwrap call to stringify. The intent to make it harder to accidentally print secrets into the logs.

@jhoblitt jhoblitt force-pushed the IHS-6295/tel-lt1 branch 2 times, most recently from 49c4007 to 1bb6566 Compare September 13, 2022 16:06
@jhoblitt
(profile::util::keytab) convert keytab_base64 param to Sensitive
52735ea
@jhoblitt
(profile::core::keytab) fwv
2271f83 
Generates profile::util::keytab resources.
@jhoblitt
(profile::core::common) include profile::core::keytab
6cd7896
@jhoblitt
(profile::util::keytab) make TGT non-forwardable
44b50a8 
Generally, we want to allow ssh between 2 pair of hosts only. We don't
not want the TGT to be reusable to make another hop from the destination
host.  If additional access from the destination ssh host is needed, a
role user TGT should also be present on the destination host.
cbarria
cbarria approved these changes Sep 14, 2022
View reviewed changes
Copy link
Contributor

@cbarria cbarria left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the explanation 👍

@jhoblitt jhoblitt merged commit 792b87f into master Sep 14, 2022
@jhoblitt jhoblitt deleted the IHS-6295/tel-lt1 branch September 14, 2022 17:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cbarria cbarria cbarria approved these changes

Assignees
No one assigned
Labels
author-merge live-hosts
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jhoblitt @cbarria