Fixes #38499 - Introduce SSH cert support #10571
Conversation
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
6b8cdbc to
7055907
Compare
adamlazik1
changed the title
adamlazik1
changed the title
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
7055907 to
af62efa
Compare
app/views/unattended/provisioning_templates/snippet/remote_execution_ssh_keys.erb
Outdated
Show resolved
Hide resolved
|
|
||
| mkdir -p /etc/ssh/sshd_config.d | ||
| echo 'TrustedUserCAKeys /etc/ssh/user-ca.pub' >/etc/ssh/sshd_config.d/60-user-ca.conf | ||
| systemctl restart sshd |
There was a problem hiding this comment.
I'm not sure you can always rely on being able to restart services. For example, I'm wondering about cloud-init.
There was a problem hiding this comment.
I am not too familiar with cloud-init. Are you referring to the fact that cloud-init may change service configuration or may manipulate with services while it runs? I tried to make the service restart a bit more robust, please tell me if it works or if I need to take some different precautions with regards to cloud-init .
app/views/unattended/provisioning_templates/snippet/remote_execution_ssh_keys.erb
Outdated
Show resolved
Hide resolved
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
7509605 to
c484790
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
2 times, most recently
from
fe302d4 to
86112b9
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
5 times, most recently
from
fc22a59 to
2e306fd
Compare
|
I will keep this in draft because there will be four PRs in total that should get merged at roughly the same time, but I do believe that this is now ready for review. |
app/views/unattended/provisioning_templates/snippet/remote_execution_ssh_keys.erb
Outdated
Show resolved
Hide resolved
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
2e306fd to
ac072d8
Compare
app/views/unattended/provisioning_templates/snippet/remote_execution_ssh_keys.erb
Outdated
Show resolved
Hide resolved
| command -v restorecon && restorecon -RvF /etc/ssh || true | ||
|
|
||
| # restart the sshd service | ||
| $(command -v cloud-init && cloud-init status --wait) >/dev/null 2>&1 || true |
There was a problem hiding this comment.
What would happen if this fired from within cloud-init?
There was a problem hiding this comment.
It took me a while to get my provisioning setup working, but I found out that while the command does not hang and appears to be executed, the sshd service is not restarted. Same thing happens when I do not include the cloud-init line altegether. Currently I am looking into other possible ways to restart the service within cloud-init.
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
ac072d8 to
42e3dc5
Compare
|
I don't know how I have done it before but after several days of trying different stuff I am unable to replicate cloud-init malfunction which I had before on the current version of the PR. The sshd service is now correctly restarted and ssh certs work out of the box. I see there is only one runcmd in our cloud-init template, so if I am not mistaken, no race conditions should be able to occur, correct? |
adamlazik1
force-pushed
the
ssh-cert-support
branch
3 times, most recently
from
bff3e1a to
1fd7a96
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
1fd7a96 to
60c7201
Compare
|
Currently, this PR does not support configuring cert authentication on hosts that exist before the feature is enabled the smart proxy. Should I create a job template that could do this? It would have to be run before the ssh cert authentication is enabled on smart proxy. |
adamlazik1
force-pushed
the
ssh-cert-support
branch
3 times, most recently
from
88ecbe9 to
0c01c2c
Compare
|
Switching back to draft since the feature got postponed to 3.16 |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
0c01c2c to
fb5928f
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
2 times, most recently
from
6f91c61 to
ec694ec
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
ec694ec to
ec67b2a
Compare
lhellebr
left a comment
lhellebr
left a comment
There was a problem hiding this comment.
I have been able to verify the SSH CA cert feature as a complex of the following 4 PRs:
theforeman/smart_proxy_remote_execution_ssh#126
#10571
theforeman/foreman_remote_execution#977
theforeman/puppet-foreman_proxy#867
Including the following use cases:
SSH REX
Ansible REX
Pull mode REX
Cockpit
Including hosts created by:
Global registration
Provisioning
Including scenarios:
SSH CA on Satellite side
SSH CA on host side
SSH CA on both sides
Both positive scenarios and negative scenarios, that is incorrect CA, incorrect cert, incorrect principal.
=> ACK to this PR
|
@adamlazik1 does this still need to be a draft? |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
ec67b2a to
3dd32a3
Compare
|
/packit build |
4 participants
No description provided.