Opened 6 months ago

Closed 5 months ago

Last modified 5 months ago

#33868 closed defect (fixed)

fabric (incorrectly) asumes User root ssh_config

Reported by: anarcat Owned by: anarcat
Priority: Low Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Major Keywords: tpa-roadmap-april
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

our fabric code assumes we have a User root block for all tpo hosts, which is incorrect: i actually deliberately set User anarcat on pauli, for example, so that I don't push as root.

this should be fixed with a fabric-specific config.

Child Tickets

Change History (3)

comment:1 Changed 5 months ago by anarcat

Status: assignedaccepted

comment:2 Changed 5 months ago by anarcat

Resolution: fixed
Status: acceptedclosed

I have set user = 'root' in tsa_misc/fabric.py but because Fabric's ~/.ssh/config support *overrides* the configuration set there, it was still not working for some specific hosts where i had User anarcat set.

the workaround I used there was to change the purpose field of pauli.torproject.org to puppet.torproject.org. This, in turn, added puppet.torproject.org to the ssh_known_hosts file generated by ud-ldap and distributed everywhere. so now I can have this ~/.ssh/config configuration:

# interact as a normal user with Puppet and LDAP servers by default
Host puppet.torproject.org db.torproject.org
  User anarcat

Host *.torproject.org
  UserKnownHostsFile ~/.ssh/known_hosts.torproject.org
  User root
  VerifyHostKeyDNS ask

# use jump host if the network is not in the trusted whitelist
Match host *.torproject.org, !host perdulce.torproject.org, exec "! trusted-network"
  ProxyJump anarcat@perdulce.torproject.org

and connecting to (say) pauli.torproject.org will still login as root.

i have still hardcoded the root@ account for puppet.torproject.org in the source code defaults for that reason.

i think this should be good enough for now.

comment:3 Changed 5 months ago by anarcat

Keywords: tpa-roadmap-april added
Note: See TracTickets for help on using tickets.