Disable root SSH authentication altogether #24

New issue

Open

opened 2024-11-21 11:49:14 +01:00 by Niols · 0 comments

Niols commented 2024-11-21 11:49:14 +01:00

Owner

Copy link

After discussion in the Matrix channel, and as mentioned in #20 (comment), we should get rid of root SSH authentication altogether.
this would then raise the question on how we might handle deployment in such a way as to better limit attack surface.

implementation notes.

ideas:

1. first off switch deployment from using root to using @wheel users with password-less sudo. NixOps4 did not support this yet, so this may depend on it being subsumed (after #494).
2. pull-based (may be less great for latency in our context of operator-triggered updates):
   1. nits
   2. UKIs' pull-based updates
      • c.f. appvm
3. push-based:
   1. nixless-agent: on command node pulls update from cache
   2. replace the node with a new one based on the new configuration (needs state transfer, see #100).
4. kubernetes (#598)

After discussion in the Matrix channel, and as mentioned in https://git.fediversity.eu/fediversity/fediversity/pulls/20#issuecomment-3275, we should get rid of root SSH authentication altogether. this would then raise the question on how we might handle deployment in such a way as to better limit attack surface. ### implementation notes. ideas: 1. first off switch deployment from using `root` to using `@wheel` users with password-less sudo. NixOps4 did not support this yet, so this may depend on it being subsumed (after #494). 1. pull-based (may be less great for latency in our context of operator-triggered updates): 1. ~~[nits](https://github.com/numtide/nits)~~ 1. [UKIs](https://nixos.org/manual/nixos/stable/#sec-image-repart-appliance)' ~~pull-based [updates](https://x86.lol/generic/2024/08/28/systemd-sysupdate.html)~~ - c.f. [`appvm`](https://github.com/jollheef/appvm) 1. push-based: 1. [`nixless-agent`](https://github.com/DanielSidhion/nixless-agent): on command node pulls update from cache 1. replace the node with a new one based on the new configuration (needs state transfer, see #100). 1. kubernetes (#598)

👍 1

Niols added the

blocked

label 2024-11-21 11:51:56 +01:00

Niols referenced this issue 2024-11-21 11:52:50 +01:00

Factorise users configurations #20

fricklerhandwerk added this to the Fediversity project 2024-11-25 10:02:33 +01:00

kiara added the

security

label 2025-02-11 09:28:34 +01:00

kiara added the

component: nixops4

label 2025-03-18 12:22:04 +01:00

kiara referenced this issue 2025-04-02 16:46:11 +02:00

limit security impact of SSH access to service VMs #295

kiara added a new dependency 2025-04-02 16:46:33 +02:00

#291 code passes security check

kiara removed this from the Fediversity project 2025-04-14 11:13:17 +02:00

kiara added the

type: task

label 2025-05-01 11:42:40 +02:00

kiara referenced this issue 2025-05-05 19:48:02 +02:00

ephemeral state is automatically provisioned #314

kiara added the

13 points

label 2025-12-02 19:15:02 +01:00

kiara added a new dependency 2026-02-09 23:59:01 +01:00

#494 data model used

kiara added a new dependency 2026-02-10 00:01:24 +01:00

#100 migrating application data between hosting providers

kiara removed the

blocked

security

component: nixops4

labels 2026-02-10 13:07:48 +01:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix/forgejo-ci-secrets-rekey

fix/forgejo-ci-network-gateway

fix/forgejo-ci-ipv6-gateway-interface

feat/tests-thru-flake

issue/126-filesystem-backup

automation/update-workflow

automation/npins-update

kiara/fix-pixelfed

kiara/nspawn

issues/124-database-backups

issues/125-garage-backups

ci/pixelfed

pixelfed-ci

No results found.

Labels

Clear labels   

0 points

fibonacci complexity: 0 points

  

0.5 points

fibonacci complexity: 0.5 points

  

1 point

fibonacci complexity: 1 point

  

13 points

fibonacci complexity: 13 points

  

2 points

fibonacci complexity: 2 points

  

21 points

fibonacci complexity: 21 points

  

3 points

fibonacci complexity: 3 points

  

34 points

fibonacci complexity: 34 points

  

5 points

fibonacci complexity: 5 points

  

55 points

fibonacci complexity: 55 points

  

8 points

fibonacci complexity: 8 points

  

api service

features that may relate more to a (to be created) API service

  

blocked

  

component: fediversity panel

  

component: nixops4

  

documentation

  

estimation high: >3d

  

estimation low: <2h

  

estimation mid: <8h

  

infinite points

fibonacci complexity: infinite points

  

productisation

features out-scoped with the decoupling of the productisation effort

  

project-management

Project management related tasks

  

question

  

role: application developer

  

role: application operator

  

role: hosting provider

  

role: maintainer

  

security

  

technical debt

  

testing

  

type unclear

  

type: bug

Anything that doesn't work as advertised

  

type: deliverable

  

type: key result

  

type: objective

  

type: task

  

type: user story

  

user experience

No labels

0 points

0.5 points

1 point

13 points

2 points

21 points

3 points

34 points

5 points

55 points

8 points

api service

blocked

component: fediversity panel

component: nixops4

documentation

estimation high: >3d

estimation low: <2h

estimation mid: <8h

infinite points

productisation

project-management

question

role: application developer

role: application operator

role: hosting provider

role: maintainer

security

technical debt

testing

type unclear

type: bug

type: deliverable

type: key result

type: objective

type: task

type: user story

user experience

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks

#291 code passes security check

fediversity/fediversity

Depends on

#100 migrating application data between hosting providers

fediversity/fediversity

#494 data model used

fediversity/fediversity

Reference

fediversity/fediversity#24

No description provided.