Opened 8 weeks ago

Last modified 8 weeks ago

#31214 new task

audit account-keyring

Reported by: anarcat Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by anarcat)

Look at all the keys in account-keyring, for each key:

  1. if the account is locked in LDAP, remove the key
  2. if the key is expired, consider locking it in LDAP

Consider automating this, or at least make it so automation wouldn't be harder, see #29671.

Child Tickets

Change History (3)

comment:1 Changed 8 weeks ago by anarcat

Description: modified (diff)

mention keyring management issue

comment:2 Changed 8 weeks ago by anarcat

if the key is expired, consider locking it in LDAP

This begs a few question:

  1. "if a key is expired" - which key? the primary pub key? or any subkey? or just authentication subkeys? it seems the "correct" one would be "if the primary key is expired, or all authentication subkeys are expired", but that's the kind of logic that's hard to implement outside of GnuPG
  1. how do we actually decide if we lock accounts in LDAP?

This one-liner gives us a list of expired primary keys, of which there are currently 25 out of 92:

total=0; count=0 ; for key in *.gpg ; do if gpg --show-key < $key | grep -q 'pub.*expired'; then echo "KEY EXPIRED:"; gpg --show-key < $key ; count=$(($count + 1)); fi; total=$(($total + 1)); done; echo "found $count expired keys out of $total keys"

I added it to the account-keyring repo, as part of the audit-keyring script.

comment:3 Changed 8 weeks ago by anarcat

i expanded the script to check that all keys in the keyring have matching valid UIDs in LDAP. I found isis's key, which matches an expired LDAP account, and removed it.

Note: See TracTickets for help on using tickets.