Closed
Bug 686488
Opened 13 years ago
Closed 11 years ago
add releng+relops' SSH keys to root's authorized_keys using PuppetAgain
Categories
(Release Engineering :: General, defect, P3)
Release Engineering
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bhearsum, Assigned: kmoir)
Details
(Whiteboard: [puppet])
When we hit issues like bug 685570 we end up with inaccessible machines, because we can't login directly as root over ssh. We should enable that, so that we can still use the machines when ssh is busted.
|
||
Comment 1•13 years ago
|
||
The fix in bug 685575 will help, but yeah, this is a good idea.
|
Reporter | |
Comment 2•13 years ago
|
||
Am I remembering right that bug 685575 will fix this?
|
|
||
Comment 3•13 years ago
|
||
Not quite - it will fix the direct dependency on LDAP, but it won't make root logins work.
|
||
Comment 4•13 years ago
|
||
Should be a simple matter of setting PermitRootLogin in sshd_config and restarting sshd.
Assignee: nobody → jhford
Priority: -- → P3
Whiteboard: [puppet]
|
|
||
Updated•12 years ago
|
Assignee: jhford → kmoir
|
Assignee | |
Comment 5•12 years ago
|
||
I assume this is required for both the existing puppet install and puppetAgain?
|
|
||
Comment 6•12 years ago
|
||
I don't think we have any machines left that are still using this ldap-lpk technique (which tries to talk to the LDAP server at the time of each login). I think all of the other machines have PermitRootLogin enabled -- at least, I always login as root. Maybe this could be re-purposed to add releng+relops' SSH keys to root's authorized_keys using PuppetAgain/
|
|
Assignee | |
Comment 7•12 years ago
|
||
So another question from the newbie, is there a list of the releng and relops keys required? I looked in puppet again configs and it looks like most of the releng keys are already there.
Summary: enable root logins to machines using puppet ssh package → add releng+relops' SSH keys to root's authorized_keys using PuppetAgain
|
|
||
Comment 8•12 years ago
|
||
They're in LDAP, but it's not easy to get them out of there. Ideally, they'd end up in a local CSV file rather than in hg (since external users of puppetagain really don't want all of releng+relops to have access to their systems, and vice versa). Short-term, I think it might be best to find a way to specify these keys statically on the puppet masters - either in a CSV or (less preferable) in a file that's not checked in. Slightly longer term, it'd be great to have a crontask and an LDAP role account that can pull that data from LDAP to keep it up to date.
|
|
||
Comment 9•11 years ago
|
||
These are static now. I'm going to work on synchronizing sysadmins' keys in, so I'll do the same for releng/relops - bug 828459
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Product: mozilla.org → Release Engineering
You need to log in
before you can comment on or make changes to this bug.
Description
•