Closed Bug 294880 Opened 20 years ago Closed 19 years ago

Require SSH for website cvs checkins

Categories

(mozilla.org Graveyard :: Server Operations: Projects, task)

Product:
mozilla.org Graveyard
Component:
Server Operations: Projects
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: justdave, Assigned: justdave)

References

Details

A while back we switched over our code repository from pserver to requiring SSH
to access it.

It's been "long term plan" for a while to do the same to the website repository,
but mostly nothing's been done about it (and I can't find a bug for it either).
 I'd like to start moving on that fairly soon.

The majority of the infrastructure is already in place -- dbaron copied over the
shell accounts and ssh keys not too long ago from megalon for anyone who had one
already there that also had web cvs access.  So for the majority of folks, it
already works. :)  All that remains is just to turn off pserver and convert the
accounts for the people who didn't already have source code access.

Here's the plan:

1) Reconfigure doctor.mozilla.org so it requires SSL to connect.  This will help
prevent passwords from getting sent in cleartext over the net.  This can be done
anytime, and doesn't block or depend on any of the following, but it needs to be
done anyway. :)  doctor should probably be modified to tell people to use their
"despot password" since they won't actually be using a password for CVS anymore
anywhere other than doctor.

2) Set a date for cutting off pserver, and announce it far and wide (if someone
can suggest places to announce it, I'd be grateful) and encourage people with
unconverted accounts to mail SSH keys in.  Given the likely load this will cause
to the people watching cvs-admin, it might be best to wait to announce this
until we have our intern around to pick up the slack in the other admin duties
(or have him do these) :)  (i.e. end of June)

3) When the day comes, leave pserver enabled on rheet, but change the firewall
so traffic to pserver on rheet gets sent to pserver on megalon instead, which
will result in the "pserver intentionally disabled - please contact
cvs-admin@mozilla.org" message to the users connecting from outside the
firewall, but still allow pserver to work inside the firewall.  This will let
things like doctor and despot continue to work.
Priority: -- → P4
This is a mass-reassign of bugs that I'm not actively working on right at this moment to the default component owner, since we now have a larger IT staff than just me.  These bugs will be getting redistributed to other sysadmins as sysadmin time becomes available.
Assignee: justdave → server-ops
Priority: P4 → --
Assignee: server-ops → justdave
Component: Server Operations → Server Operations Projects
QA Contact: myk → justin
*** Bug 320229 has been marked as a duplicate of this bug. ***
This is on my plate again.  Likely ETA is end of January.
Blocks: 247803
This was done this last week.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.