76 lines
2.7 KiB
Markdown
76 lines
2.7 KiB
Markdown
# ssh access strategy
|
|
|
|
some notes on our current status, challenges and ways to address these
|
|
|
|
## questions
|
|
|
|
- [x] which keys do we accept on which users on which machines (infra/test)?
|
|
- [x] when deploying (by nixops/tf, machines infra/test, separate/local/deployed), which user and key do we pass?
|
|
|
|
## background
|
|
|
|
<!-- - manual setup kevin -->
|
|
<!-- - `nixos-24.05-minimal-x86_64.iso` -->
|
|
<!-- - `users.users.procolix.openssh.authorizedKeys.keys` (procolix SSH jump nodes) -->
|
|
- manual setup @niols
|
|
- sync machines' `/etc/ssh/ssh_host_ed25519_key.pub` to:
|
|
- `infra/test-machines/testxx/ssh_host_ed25519_key` (test machines)
|
|
- `keys/systems/fedixxx.pub` (infra)
|
|
|
|
## challenges
|
|
|
|
- TF messing up non-root SSH access (`/etc/ssh/authorized_keys.d` absent)
|
|
- TF not having a clear SSH strategy for production
|
|
- machine key? how to select the right user/key? how does nixops handle this?
|
|
- testing the panel locally not having a clear SSH strategy with password-protected SSH keys
|
|
|
|
## strategy
|
|
|
|
### which keys to accept on which users on which machines
|
|
|
|
- fedixxx/test0x
|
|
<!-- - procolix -->
|
|
<!-- - procolix jump nodes -->
|
|
- root
|
|
- fediversity team's individual keys
|
|
- personal
|
|
- personal (protected)
|
|
- test0x: a passwordless wheel account (personal accounts? root too?) should allow also an unprotected ssh key (personal?)
|
|
|
|
### how to use SSH on deployment
|
|
|
|
#### user
|
|
|
|
(note that `desired` columns are focused on the scope of #76, so keeping e.g. security considerations out of scope.)
|
|
|
|
| context | current | desired |
|
|
|-|-|-|
|
|
| nixops infra | root | root |
|
|
| nixops local | root | root |
|
|
| protected? nixops panel local | root | root |
|
|
| nixops panel deployed | root | root |
|
|
| tf local | personal (hard-coded) | root |
|
|
| protected? tf panel local | personal (hard-coded) | root |
|
|
| tf panel deployed | personal (hard-coded) | root |
|
|
| tf infra | root | root |
|
|
|
|
#### key
|
|
|
|
| context | current | desired |
|
|
|-|-|-|
|
|
| nixops infra | personal (thru ssh agent) | (protected) personal key |
|
|
| nixops local | personal (thru ssh agent) | personal |
|
|
| nixops panel local | personal (thru ssh agent, failed to handle password protection) | (unprotected) personal key |
|
|
| nixops panel deployed | machine key (thru ssh agent) | machine key |
|
|
| tf local | personal (thru ssh agent, password can be passed explicitly) | personal (unprotected, or if protected by passing it explicitly) |
|
|
| tf panel local | personal (thru ssh agent, password can be passed explicitly) | personal (unprotected, or if protected by passing it explicitly) |
|
|
| tf panel deployed | machine key (thru ssh agent) | machine key |
|
|
| tf infra | n/a | (protected) personal key (with password propagated, somehow) |
|
|
|
|
## outcomes
|
|
|
|
added sub-tasks to:
|
|
|
|
- #272
|
|
- #76
|
|
- #274
|