Introduce SSH cert support #867
Conversation
|
Depends on: theforeman/smart_proxy_remote_execution_ssh#126 |
adamlazik1
force-pushed
the
ssh-cert-support
branch
5 times, most recently
from
702e256 to
18db7e9
Compare
|
This is now ready for review. |
manifests/plugin/ansible.pp
Outdated
| } | ||
| $known_hosts_file_option = $foreman_proxy::plugin::remote_execution::script::ssh_host_ca_public_key ? { | ||
| undef => '', | ||
| default => "-o UserKnownHostsFile=${foreman_proxy::plugin::remote_execution::script::ssh_identity_dir}/known_hosts -o UserKnownHostsFile=${foreman_proxy::plugin::remote_execution::script::ssh_ca_known_hosts_file}", |
There was a problem hiding this comment.
Same issue as in remote execution. If we have host CA cert available, should we enforce StrictHostKeyChecking?
|
/packit build |
|
@adamlazik1 could you rebase this please on latest master, so that Packit starts working? |
|
No config file for packit (e.g. For more info, please check out the documentation or contact the Packit team. You can also use our CLI command |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
18db7e9 to
3759635
Compare
|
/packit build |
adamlazik1
force-pushed
the
ssh-cert-support
branch
2 times, most recently
from
f6c78c1 to
5e673ed
Compare
|
Updated ansible ssh args to enforce strict host key checking if host CA is provided. |
|
/packit build |
|
Account lhellebr has no write access nor is author of PR! |
|
/packit build |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
5e673ed to
3bdd6b6
Compare
|
Switching back to draft since the feature got postponed to 3.16 |
| # $ssh_identity_file:: Provide an alternative name for the SSH keys | ||
| # | ||
| # $ssh_keygen:: Location of the ssh-keygen binary | ||
| # $ssh_user_ca_public_key_file:: Public key file for the SSH CA certificate |
There was a problem hiding this comment.
Should we unify with the host CA key behavior and pass the public key contents instead of a path? I would solve issues with permissions.
There was a problem hiding this comment.
From security POV, it should be fine since the CA key is public. But how long is it? How long will it eventually be? Maybe the shell won't like a line that long. I think this kind of data shouldn't be passed in the command line. OTOH, if it's consistent with something we already have, it may be the least confusing.
The permission issues themselves can be solved by documentation + help text.
There was a problem hiding this comment.
I see, thanks for your input. You have a good point with possible future length, so I will probably leave it as it is.
There was a problem hiding this comment.
Updated: parameter now accepts file path with the key instead of string.
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
3bdd6b6 to
a9906b3
Compare
|
/packit build |
|
Account lhellebr has no write access nor is author of PR! |
|
/packit build |
|
/packit build |
|
Account adamruzicka has no write access nor is author of PR! |
|
/packit build |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
a9906b3 to
97c756e
Compare
|
/packit build |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
97c756e to
60cd6a8
Compare
|
/packit build |
1 similar comment
|
/packit build |
|
Account lhellebr has no write access nor is author of PR! |
|
/packit build |
lhellebr
left a comment
lhellebr
left a comment
There was a problem hiding this comment.
I have been able to verify the SSH CA cert feature as a complex of the following 4 PRs:
theforeman/smart_proxy_remote_execution_ssh#126
theforeman/foreman#10571
theforeman/foreman_remote_execution#977
#867
Including the following use cases:
SSH REX
Ansible REX
Pull mode REX
Cockpit
Including hosts created by:
Global registration
Provisioning
Including scenarios:
SSH CA on Satellite side
SSH CA on host side
SSH CA on both sides
Both positive scenarios and negative scenarios, that is incorrect CA, incorrect cert, incorrect principal.
=> ACK to this PR
|
@adamlazik1 could you please rebase and then undraft? |
adamlazik1
force-pushed
the
ssh-cert-support
branch
2 times, most recently
from
b95fb9a to
d614cca
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
2 times, most recently
from
8164f9a to
844a7ae
Compare
|
/packit build |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
844a7ae to
d7986ca
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
d7986ca to
b96bcac
Compare
5 participants
No description provided.