[mig module] Break glass module to start ssh and configure a user for remote access (Bugzilla #1134394)

[jvehent]

Migrated from https://bugzilla.mozilla.org/show_bug.cgi?id=1134394
Assigned to: Julien Vehent [:ulfr]

On 2015-02-18 13:59:00 -0800, Brian Hourigan [:digi] wrote:

Our greenfield AWS environment nubis does not support remote access via ssh. We don't want to configure a break-glass account with credentials that any employee could of seen, otherwise we would be forced to redeploy everything during an exit and also have the burden of managing these credentials.

After talking with :ulfr we think the best way to facilitate emergency access is to create a mig plugin that would add a user, and configure some public ssh key.

On 2015-02-18 14:27:30 -0800, Julien Vehent [:ulfr] wrote:

This should be built into its own plugin, and not reuse the account plugin planned in bug 1037965. Having it in a separate module will allow us to limit the individuals having access to it, such that only opsec and a few selected ops can invoke it.

The module should support two operations:

1. open emergency access: start sshd and add a public ssh key to a given user (either create a new user, or add it to /root/.ssh/authorized_keys)
2. close emergency access: stop sshd and remove keys previously added (need to figure out how, maybe by restoring a backup file?)

On 2015-02-18 14:54:11 -0800, Brian Hourigan [:digi] wrote:

1. close emergency access: stop sshd and remove keys previously added (need
   to figure out how, maybe by restoring a backup file?)

I'd vote to not have this feature. Once an AMI has been accessed it is 'dirty' and should be terminated and re-deployed from a known AMI.