Project

General

Profile

Bug #17051

Zen's SSH public key is not configured in lizard's dropbear

Added by zen about 1 month ago. Updated about 2 hours ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Infrastructure
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Sysadmin
Blueprint:
Starter:
Affected tool:

Description

Today we had to reboot Lizard and I couldn't login into dropbear for unlocking the encrypted disk. We have to:

  • Verify/confirm that my key is indeed not configured in dropbear and included the initramfs.
  • Fix whatever is wrong in case the key is really not there.
  • Adjust the onboarding documentation in case a step is missing there.

Related issues

Blocks Tails - Feature #13242: Core work: Sysadmin (Maintain our already existing services) Confirmed 06/29/2017

History

#1 Updated by zen about 1 month ago

  • Description updated (diff)

#2 Updated by intrigeri about 1 month ago

  • Priority changed from Normal to High
  • Target version set to Tails_4.0

(Zen Fu just started a few weeks of sysadmin shifts and it would be nice if he was able to reboot lizard himself :)

#3 Updated by intrigeri about 1 month ago

  • Assignee changed from Sysadmins to intrigeri

I'm on it!

#4 Updated by intrigeri about 1 month ago

  • Status changed from Confirmed to Needs Validation
  • Assignee changed from intrigeri to zen

zen wrote:

  • Verify/confirm that my key is indeed not configured in dropbear and included the initramfs.

Confirmed. /etc/dropbear-initramfs/authorized_keys was last updated in 2017. It included keys that should not have access (anymore) so while I was at it, I've removed them.

  • Fix whatever is wrong in case the key is really not there.
  • Adjust the onboarding documentation in case a step is missing there.

We simply had no process to update /etc/dropbear-initramfs/authorized_keys. I've implemented (Puppet + onboarding doc) the cheapest possible thing to ensure we at least update it when we onboard a new sysadmin.
I'll push the onboarding doc once sysadmin.git is repaired ⇒ @zen, once you've reviewed the Puppet bits and repaired sysadmin.git, please reassign to me :)

Note that what I did does not cover sysadmin rotating their SSH keys (I can think of several ways to fix that but not today), nor removing access for a sysadmin (although if we follow the onboarding doc and revert everything we should be good).

#5 Updated by intrigeri about 1 month ago

I'll push the onboarding doc once sysadmin.git is repaired

Now done, so you can review these bits at the same time as the Puppet changes :)

#6 Updated by intrigeri 29 days ago

  • Blocks Feature #13242: Core work: Sysadmin (Maintain our already existing services) added

#7 Updated by zen about 13 hours ago

  • Assignee changed from zen to intrigeri

I see the keys in place, I think the onboarding doc is enough for now, and I have reviewed the puppet code and it looks good. I haven't tested it, though, but we'll have an opportunity soon.

I'm reassigning to you because you asked to.

#8 Updated by intrigeri about 2 hours ago

  • Status changed from Needs Validation to Resolved

Hi zen,

I see the keys in place, I think the onboarding doc is enough for now, and I have reviewed the puppet code and it looks good. I haven't tested it, though, but we'll have an opportunity soon.

Great!

I'm reassigning to you because you asked to.

(That was only because I could not push the updated onboarding doc to sysadmin.git that was broken back then, but it was quickly fixed and you've reviewed those bits too ⇒ closing.)

Also available in: Atom PDF