Allow different keys for different users#17
Allow different keys for different users#17matyasselmeci wants to merge 8 commits intoopensciencegrid:masterfrom
Conversation
brianhlin
left a comment
brianhlin
left a comment
There was a problem hiding this comment.
So far so good but there are some things that need to be thought through wrt rootly SSH
hosted-ce/30-remote-site-setup.sh
Outdated
| Host $remote_fqdn | ||
| Port $remote_port | ||
| IdentityFile ${BOSCO_KEY} | ||
| IdentityFile "$(get_bosco_key "root")" |
There was a problem hiding this comment.
Are users going to have to create their secret with a root user and corresponding key?
I think we may be able to drop this rootly SSH config as long as we:
- Run remote OS detection using one of the other users
- Set up the hacky
bosco_key.rsaper user - Run
bosco_clusterand env filersyncas the unpriv users
There was a problem hiding this comment.
I am totally open to using one of the other users instead of root for this.
Doesn't bosco_cluster have to be run once per user anyway?
There was a problem hiding this comment.
Yes but we currently run it as root, not as the unpriv user
docker-compute-entrypoint/hosted-ce/30-remote-site-setup.sh
Lines 198 to 202 in d78931e
matyasselmeci
force-pushed
the
pr/SOFTWARE-4570.multikey
branch
from
d78931e to
931d805
Compare
Keys will be looked for in the following order:
- `/etc/osg/boscokeys/${ruser}@${rhost}.key`
- `/etc/osg/boscokeys/${ruser}.key`
- `/etc/osg/bosco.key`
Keys will be looked for in the following order:
- `/etc/osg/boscokeys/${ruser}.key`
- `/etc/osg/bosco.key`
matyasselmeci
force-pushed
the
pr/SOFTWARE-4570.multikey
branch
from
931d805 to
bd87ea9
Compare
… separate key for root
… need it and non-root users shouldn't fall back to it
brianhlin
left a comment
brianhlin
left a comment
There was a problem hiding this comment.
Pre-approving but like you said, we should test this (both multi and single SSH key setups) before merging
| # HACK: Copy the Bosco key to the location expected by | ||
| # bosco_cluster so it doesn't go and try to generate a new one | ||
| root_ssh_dir=/root/.ssh/ | ||
| mkdir -p $root_ssh_dir | ||
| chmod 700 $root_ssh_dir | ||
| ln -s $BOSCO_KEY $root_ssh_dir/bosco_key.rsa | ||
| install -o root -g root -m 0600 "$firstuser_key" $root_ssh_dir/bosco_key.rsa | ||
|
|
There was a problem hiding this comment.
Can't we get rid of this if we're not using root for SSH anymore?
There was a problem hiding this comment.
I'd have to check what bosco_cluster does, to see if the hack mentioned in the comment is still needed. root is still the one running the ssh command, it's just using someone else's key.
There was a problem hiding this comment.
I'd have to check what bosco_cluster does, to see if the hack mentioned in the comment is still needed.
I think we want to run bosco_cluster as the unpriv users so that it picks up each of their SSH configs/keys
root is still the one running the ssh command, it's just using someone else's key.
Ah right
|
Do we still want this? It's kinda stale. |
2 participants
Allow having multiple keys for bosco (one for each user)
(SOFTWARE-4570)