add releng+relops' SSH keys to root's authorized_keys using PuppetAgain

RESOLVED FIXED

Status

Release Engineering
General
P3
normal
RESOLVED FIXED
7 years ago
5 years ago

People

(Reporter: bhearsum, Assigned: kmoir)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [puppet])

(Reporter)

Description

7 years ago
When we hit issues like bug 685570 we end up with inaccessible machines, because we can't login directly as root over ssh. We should enable that, so that we can still use the machines when ssh is busted.
The fix in bug 685575 will help, but yeah, this is a good idea.
(Reporter)

Comment 2

7 years ago
Am I remembering right that bug 685575 will fix this?
Not quite - it will fix the direct dependency on LDAP, but it won't make root logins work.

Comment 4

7 years ago
Should be a simple matter of setting PermitRootLogin in sshd_config and restarting sshd.
Assignee: nobody → jhford
Priority: -- → P3
Whiteboard: [puppet]

Updated

6 years ago
Assignee: jhford → kmoir
(Assignee)

Comment 5

6 years ago
I assume this is required for both the existing puppet install and puppetAgain?
I don't think we have any machines left that are still using this ldap-lpk technique (which tries to talk to the LDAP server at the time of each login).  I think all of the other machines have PermitRootLogin enabled -- at least, I always login as root.

Maybe this could be re-purposed to add releng+relops' SSH keys to root's authorized_keys using PuppetAgain/
(Assignee)

Comment 7

6 years ago
So another question from the newbie, is there a list of the releng and relops keys required?

I looked in puppet again configs and it looks like most of the releng keys are already there.
Summary: enable root logins to machines using puppet ssh package → add releng+relops' SSH keys to root's authorized_keys using PuppetAgain
They're in LDAP, but it's not easy to get them out of there.  Ideally, they'd end up in a local CSV file rather than in hg (since external users of puppetagain really don't want all of releng+relops to have access to their systems, and vice versa).

Short-term, I think it might be best to find a way to specify these keys statically on the puppet masters - either in a CSV or (less preferable) in a file that's not checked in.  Slightly longer term, it'd be great to have a crontask and an LDAP role account that can pull that data from LDAP to keep it up to date.
These are static now.  I'm going to work on synchronizing sysadmins' keys in, so I'll do the same for releng/relops - bug 828459
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Product: mozilla.org → Release Engineering
You need to log in before you can comment on or make changes to this bug.