Closed Bug 880723 Opened 12 years ago Closed 11 years ago

Openssh key based user auth recommendation

Categories

(Security Assurance :: General, task)

Product:
Security Assurance
Component:
General
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: gene, Assigned: michalpurzynski1)

Details

I need to establish individual user accounts on our AWS cloud servers for Services Ops and Identity users. I would like to establish users in code and inject their public keys into their authorized_keys files. How do you recommend I do this? Here are some ideas : * Somehow get our AWS installation whitelisted so each server can talk to the public ldap.mozilla.com interface and fetch all users public keys upon server provisioning to inject into authorized_keys. Downside, not sure how to provide IP based access control since the outbound IPs from AWS are not fixed * Statically create in provisioning logic the list of users and their keys. Downside, when a person changes their public key in ldap it's not reflected in our servers. Downside, when a person leaves mozilla they continue having an account created on our servers. Upside, no ldap IP acl access is needed * Enable openssh to query directly for the key from ldap ( http://code.google.com/p/openssh-lpk/ ) Downsides, still requires IP based acl from AWS * Provision using the public keys stored in https://github.com/mozilla/identity-pubkeys . Downside, this public key store isn't our canonical key store even though it's the one used for everything in identity. * Establish a nightly export that dumps all public keys out of ldap and servers them up on some public web interface. Upside, since the ldap data being revealed is limited to just public keys it probably wouldn't need IP acls like ldap normally does since there would be no passwords to attempt brute force against * Other ideas I'm not coming up with
Assignee: nobody → mpurzynski
Status: NEW → ASSIGNED
Gene, how about having an extra VM in AWS set up, with EIP (so it's fixed) having LDAP access? It would query the LDAP and further distribute the keys as required.
Flags: needinfo?(gene)
Ah, in the intervening 5 months between this question back in June and now it looks like the rest of Services Ops has developed a puppet manifest that deals with user accounts. I'm not sure how it works but Daniel Thornton would. For now I'm just going to use his solution but if you're curious about it I'd recommend hitting him up.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: needinfo?(gene)
Resolution: --- → WONTFIX
Component: Operations Security (OpSec): General → General
Product: mozilla.org → Enterprise Information Security
You need to log in before you can comment on or make changes to this bug.