Opened 6 months ago

Closed 5 months ago

Last modified 5 months ago

#33868 closed defect (fixed)

fabric (incorrectly) asumes User root ssh_config

Reported by: anarcat Owned by: anarcat
Priority: Low Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Major Keywords: tpa-roadmap-april
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


our fabric code assumes we have a User root block for all tpo hosts, which is incorrect: i actually deliberately set User anarcat on pauli, for example, so that I don't push as root.

this should be fixed with a fabric-specific config.

Child Tickets

Change History (3)

comment:1 Changed 5 months ago by anarcat

Status: assignedaccepted

comment:2 Changed 5 months ago by anarcat

Resolution: fixed
Status: acceptedclosed

I have set user = 'root' in tsa_misc/ but because Fabric's ~/.ssh/config support *overrides* the configuration set there, it was still not working for some specific hosts where i had User anarcat set.

the workaround I used there was to change the purpose field of to This, in turn, added to the ssh_known_hosts file generated by ud-ldap and distributed everywhere. so now I can have this ~/.ssh/config configuration:

# interact as a normal user with Puppet and LDAP servers by default
  User anarcat

Host *
  UserKnownHostsFile ~/.ssh/
  User root
  VerifyHostKeyDNS ask

# use jump host if the network is not in the trusted whitelist
Match host *, !host, exec "! trusted-network"

and connecting to (say) will still login as root.

i have still hardcoded the root@ account for in the source code defaults for that reason.

i think this should be good enough for now.

comment:3 Changed 5 months ago by anarcat

Keywords: tpa-roadmap-april added
Note: See TracTickets for help on using tickets.