Closed Bug 1124623 Opened 9 years ago Closed 9 years ago

figure out SSH access strategy for AWS nodes

Categories

(Socorro :: Infra, task)

Product:
Socorro
Component:
Infra
Platform:
x86
macOS
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dmaher, Unassigned)

References

Details

There must be a way to log into the AWS nodes via SSH.  This is a tricky question that involves a handful of different items.  Questions we need to answer include, but are not limited to, the following:

Network:
* What port should SSHd run on?
* Should we allow access to the SSHd port from 0.0.0.0/0?
* If no, how do we restrict access sanely?
  * Jumphosts?
  * VPN?
  * Some magic Amazon thing maybe?  idk.

System:
* Do we permit root login? (haha, jk, of course not.)
* Users?
  * Just one user (i.e. "socorro")?
  * Accounts for everybody?
* SSH keys
  * If just one user, is there just one key?
  * If just one user, multiple keys?
* sudo
  * NOPASSWD or not?


We need to sort this out relatively quickly as it will become a blocker for rolling out actual infra.
Network:
* SSHd will run on some random port.
* Access will be allowed from any IP.

System:
* Just one user.
  * Most "cloud" versions of distros have a default user - we'll roll with that one.
* Multiple keys for said user.
* sudo with NOPASSWD is fine.
  * If an attacker can login in the first place then there are other, larger considerations in the mix.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
A note on configuring OpenSSH:
https://wiki.mozilla.org/Security/Guidelines/OpenSSH
You need to log in before you can comment on or make changes to this bug.