Replace shared root login with user accounts

[edunham]

These changes:

• Create individual user account for everyone who has an SSH key
• Add each SSH key to its person's account instead of to root
• Forbid root login at ssh config level (OSX and Ubuntu)
• Permit passwordless sudo for each user who has an SSH key. This is not great but it is no worse than the current state of affairs. The options for moving away from passwordless sudo will all potentially break peoples' workflows, so I'd like to write and test them as a separate set of changes from this one.

r? @aneeshusa to catch my inevitable Salt room-for-improvement

cc @larsbergstrom for thoughts on if/how we should actively disallow root login on Windows

Labeling please-don't-merge because I'm 90% sure something in here will break Travis.

---

This change is 

[edunham]

Oh actually I had a couple old PRs about this which were broken for various reasons. I'll integrate the suggestions from them before consuming anyone's review time.

[larsbergstrom]

From the logs, it looks like the creation step needs to be depended upon by the keyfile installation step? There are a bunch of OSX errors about [ERROR ] Failed to add the ssh key. Is the home directory available, and/or does the key file exist?

[aneeshusa]

I haven't tested this, but looks good overall so far. I left some Salt comments.

[aneeshusa]

spelling: unprivileged

[aneeshusa]

Before user.present, we should also use group.present to create a group for each user with the same name. We should require the group state from the user state and set gid_from_name: True in the user state.

[aneeshusa]

We should use groups instead of optional_groups so Salt complains if this doesn't work.

[aneeshusa]

Might be nice to add a group.present state for the wheel group itself.

[aneeshusa]

This should require the user.present state.

[aneeshusa]

I've personally never been a fan of file.append, I prefer to use file.managed and control the whole contents instead of hoping that Salt is always smart enough to do the right thing with file.append.

[aneeshusa]

We could provide permissions to the wheel group instead of each user individually.

[aneeshusa]

We could also use AllowGroups wheel, I think.

[edunham]

I believe we want to end up with as few people having root access as possible, so most users who can access the hosts to examine logs or whatever will not be in wheel. Thus they'll either need to be individually added with AllowUsers, or all added to a group which in turn is added using AllowGroups. While a dedicated group would have the same effect as individually allowing, it adds a layer of indirection when trying to figure out which users have access compared to just looking at sshd_config.

So my FIXME was pretty unclear, but I'm pretty sure it's an issue that AllowGroups wheel does not adequately address.

[aneeshusa]

It might also be nice to switch to a non-standard port to reduce log spam, since we've set the log level to verbose.

[aneeshusa]

It might also be cool to integrate https://github.com/mozilla/ssh_scan as a test.

[aneeshusa]

If we want to implement #657, I suggest the following changes:

• Don't provide sudoers access to these per-user accounts; we'll implement the Publisher ACL in a separate PR
• Keep root SSH access enabled for now

After testing Publisher ACL, we can enable sudoers access if necessary and drop root SSH access.

[bors-servo]

☔ The latest upstream changes (presumably #694) made this pull request unmergeable. Please resolve the merge conflicts.

[edunham]

Feedbacks addressed; merging in master and fixing the conflicts now

[aneeshusa]

Thanks for updating this! I'd made #725 in the meantime with a more robust SSH config and a test, so how do you feel about taking the SSH bits out of this PR and having this PR about creating individual accounts?

[aneeshusa]

Unless this is a new feature, I don't think this works and we'll need:

- group: wheel
- group: {{ ssh_user }}

as two separate lines.

[edunham]

oops, yeah. Fixed.

[aneeshusa]

We need to create the group first, and then the user, so this state shouldn't have a members key as that would be a circular dependency. The gid_from_name parameter in the user.present state will take care of this.

[aneeshusa]

FYI, since the group.present will be empty at that point, just set it to an empty list as so to get the YAML to parse correctly: https://docs.saltstack.com/en/2016.3/topics/troubleshooting/yaml_idiosyncrasies.html#yaml-does-not-like-double-short-decs

[aneeshusa]

I agree with your comment about only providing some users root access. To prevent confusion, let's rename this group to sshusers, and reserve the wheel group for users that will have root perms.

[aneeshusa]

We'll need to keep the two-state solution of file.managed to continue being able to handle SSH key rotation and revocation.

[aneeshusa]

We should keep the states that set up the SSH keys for the root user, as we don't want to lock ourselves out (and at least for now want to keep installing root SSH keys on new machines).

[edunham]

Fixed :)

[aneeshusa]

Also, since it doesn't look like the Publisher ACL feature panned out as I was expecting, feel free to bring back the sudoers-related states. A rebase would also be helpful for cleaning up the history a bit.

[edunham]

@aneeshusa Should be more-right. I un-clobbered your SSH states, restricted it to not trying to do Mac because getting account creation right on OSX is 🤷‍♂️, but kept the sshd config addition.

Looking ready for squash?

Can't find a "I made the requested changes" button, on the review... should be ready for another look now though