kiara/meta
1
0
Fork 0
forked from Fediversity/meta
Code Pull requests Activity
meta/architecture-docs/2025-03-31-ssh-strategy.md
Kiara Grouwstra 1c617dce0c
add ssh strategy
2025-04-01 09:45:31 +02:00

3.1 KiB
Raw Blame History

ssh access strategy

some notes on our current status, challenges and ways to address these

questions

  • which keys do we accept on which users on which machines (infra/test)?
  • when deploying (by nixops/tf, machines infra/test, separate/local/deployed), which user and key do we pass?

background

  • manual setup @niols
    • sync machines' /etc/ssh/ssh_host_ed25519_key.pub to:
      • infra/test-machines/testxx/ssh_host_ed25519_key (test machines)
      • keys/systems/fedixxx.pub (infra)

challenges

  • TF messing up non-root SSH access (/etc/ssh/authorized_keys.d absent)
  • TF not having a clear SSH strategy for production
    • machine key? how to select the right user/key? how does nixops handle this?
  • testing the panel locally not having a clear SSH strategy with password-protected SSH keys

strategy

which keys to accept on which users on which machines

  • fedixxx/test0x
    • root
      • fediversity team's individual keys
    • personal
      • personal (protected)
  • test0x: a passwordless wheel account (personal accounts? root too?) should allow also an unprotected ssh key (personal?)

how to use SSH on deployment

user

|-|-|-| | context | current | desired1 | | nixops infra | root | root | | nixops local | root | root | | protected? nixops panel local | root | root | | nixops panel deployed | root | root |

| tf local | personal2 | root | | protected? tf panel local | personal2 | root | | tf panel deployed | personal2 | root |

key

|-|-|-| | context | current | desired | | nixops infra | personal3 | (protected) personal key | | nixops local | personal3 | personal | | nixops panel local | personal3 4 | (unprotected) personal key | | nixops panel deployed | machine key3 | machine key |

| tf local | personal3 5 | personal6 | | tf panel local | personal3 5 | personal6 | | tf panel deployed | machine key3 | machine key |

solutions

  • fix ssh user in #274
  • fix ssh access on test03
  • [?] mimic strategy used with nixops for TF for ssh access from panel (deployed)
    • allow access by machine key? or.. how did nixops have access?
  • use/allow separate unprotected SSH key for test0x VMs (#272)
  • ensure whitelisted keys for infra are protected
  • work out way to use password-protected ssh keys in TF for infra? e.g.:
    • delegate to ssh agent
    • pass explicitly

  1. for now, as per the scope of #274 ↩︎

  2. hard-coded ↩︎

  3. thru ssh agent ↩︎

  4. fails to handle password protection ↩︎

  5. password can be passed explicitly ↩︎

  6. unprotected, or if protected by passing it explicitly ↩︎