Project

General

Profile

Actions

User story #4441

closed

A new technique for SSH key removal

Added by Alex Tkachenko about 10 years ago. Updated about 2 years ago.

Status:
Rejected
Priority:
2
Assignee:
-
Category:
Techniques
UX impact:
Suggestion strength:
User visibility:
Effort required:
Name check:
Fix check:
Regression:

Description

This technique could be used to consistently remove deprecated keys (i.e. rotated or personal keys of retired users) from the configuration.

It is based upon and is very similar to the updated version of sshKeyDistribution technique (submitted at http://www.rudder-project.org/redmine/issues/4439.

I hope it will be found useful.

If accepted, please feel free to insert whatever mandatory copyright notice required at the top of each file.


Files

metadata.xml (2.11 KB) metadata.xml Alex Tkachenko, 2014-02-05 02:40
sshKeyDisable.st (5.93 KB) sshKeyDisable.st Alex Tkachenko, 2014-02-05 02:40
metadata.xml (2.17 KB) metadata.xml Alex Tkachenko, 2014-02-15 01:47
sshKeyDisable.st (5.98 KB) sshKeyDisable.st Alex Tkachenko, 2014-02-15 01:47
Actions #1

Updated by Vincent MEMBRÉ about 10 years ago

  • Category set to Techniques
  • Assignee set to Nicolas CHARLES
  • Priority changed from N/A to 2
  • Target version set to 2.6.11

Really thank you Alex for that brand new Technique!

Nicolas, or Matthieu, can you look into it ?

Actions #2

Updated by Nicolas CHARLES about 10 years ago

  • Status changed from New to Discussion
  • Assignee changed from Nicolas CHARLES to Alex Tkachenko

Wow, thank you very much Alex. This is clearly a very nice technique, very clear and readable.

As in #4439, I have on question: is it necessary to define the configuration file holding keys ?
Otherwise, everything look in perfect to me, except maybe replacing

      "userdata_${sshkey_disable_index}" 
        string  => execresult("/usr/bin/getent passwd ${sshkey_disable_name[${sshkey_disable_index}]}", "noshell");
      "no_${sshkey_disable_index}" 
        int     => parsestringarray("userarray_${sshkey_disable_index}", "${userdata_${sshkey_disable_index}}", "", ":", "1000", "200000" );
      "homedir[${sshkey_disable_index}]" 
        string  => "${userarray_${sshkey_disable_index}[${sshkey_disable_name[${sshkey_disable_index}]}][5]}";

by

      "homedir[${sshkey_disable_index}]" 
        string  => execresult("/bin/echo ~${sshkey_disable_name[${sshkey_disable_index}]}", "useshell");

it has the advantage of being a bit easier to read, and if the user is not there, it tries to edit the file ~user/.ssh/file which will fail, rather than not doing anything (and not reporting anything). But I reckon that we are currently using the method you used in the Technique

Actions #3

Updated by Alex Tkachenko about 10 years ago

Sorry for the delay in response - I've got a sort of a local event here.

As for considered change - I would not do it via execresult for two reasons. First, I have learned that evaluation of variables may actually happen more than once, and spawning an additional process would be more expensive (especially with the "useshell" option) than just processing arrays of already queried data. Second - using tilde would be subject to special support from the shell, and while bash is OK, I can not speak for the others - I've seen admins changing their shell to csh and zsh and I am no sure which one cfengine would pick for useshell option.

Updated by Alex Tkachenko about 10 years ago

I have updated the technique to remove the global variable SSH_DISABLE_KEY_CONFIG_BASENAME (see http://www.rudder-project.org/redmine/issues/4439 for details).

Actions #5

Updated by Nicolas CHARLES about 10 years ago

  • Assignee changed from Alex Tkachenko to Jonathan CLARKE

Thank you very much !

I have a question on this one. Do you think it make sense to create a new technique for this?

It feel it would be a welcomed addition to the SSHKeyDistribution Technique, and adding an option (or a section) "Delete ssh keys" that would delete keys

What do you think of it Alex and Jon ?

Actions #6

Updated by Alex Tkachenko about 10 years ago

I considered this option initially, but it makes the implementation quite complicated and difficult to read.

Also, for those folks who would be using SSHKeyDistribution with replace all option (i.e. enforcing the exact content of the file) this addition will be a waste.

I think keeping them separated is better from a management prospective.

My personal opinion - if it does not fit into one screen - it is difficult to comprehend and there may be some architectural flaw with it :)

Actions #7

Updated by Vincent MEMBRÉ about 10 years ago

  • Target version changed from 2.6.11 to 2.6.12
Actions #8

Updated by Vincent MEMBRÉ about 10 years ago

  • Target version changed from 2.6.12 to 2.6.13
Actions #9

Updated by Vincent MEMBRÉ almost 10 years ago

  • Target version changed from 2.6.13 to 2.6.14
Actions #10

Updated by Jonathan CLARKE almost 10 years ago

  • Target version changed from 2.6.14 to 2.6.16
Actions #11

Updated by Jonathan CLARKE almost 10 years ago

  • Target version changed from 2.6.16 to 2.6.17
Actions #12

Updated by Nicolas PERRON over 9 years ago

  • Target version changed from 2.6.17 to 2.6.18
Actions #13

Updated by Matthieu CERDA over 9 years ago

  • Target version changed from 2.6.18 to 2.6.19
Actions #14

Updated by Vincent MEMBRÉ over 9 years ago

  • Target version changed from 2.6.19 to 2.6.20
Actions #15

Updated by François ARMAND about 9 years ago

  • Assignee changed from Jonathan CLARKE to Benoît PECCATTE
  • Target version changed from 2.6.20 to 2.10.10

Benoit, could you take a fresh look at that one ?

Actions #16

Updated by Vincent MEMBRÉ about 9 years ago

  • Target version changed from 2.10.10 to 2.10.11
Actions #17

Updated by Vincent MEMBRÉ about 9 years ago

  • Target version changed from 2.10.11 to 2.10.12
Actions #18

Updated by Benoît PECCATTE about 9 years ago

  • Project changed from 24 to Rudder
  • Category changed from Techniques to Techniques
Actions #19

Updated by Vincent MEMBRÉ about 9 years ago

  • Target version changed from 2.10.12 to 2.10.13
Actions #20

Updated by Vincent MEMBRÉ almost 9 years ago

  • Target version changed from 2.10.13 to 2.10.14
Actions #21

Updated by Vincent MEMBRÉ almost 9 years ago

  • Target version changed from 2.10.14 to 2.10.15
Actions #22

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 2.10.15 to 2.10.16
Actions #23

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 2.10.16 to 2.10.17
Actions #24

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 2.10.17 to 2.10.18
Actions #25

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 2.10.18 to 2.10.19
Actions #26

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 2.10.19 to 2.10.20
Actions #27

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 2.10.20 to 2.11.18
Actions #28

Updated by Vincent MEMBRÉ about 8 years ago

  • Target version changed from 2.11.18 to 2.11.19
Actions #29

Updated by Vincent MEMBRÉ about 8 years ago

  • Target version changed from 2.11.19 to 2.11.20
Actions #30

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 2.11.20 to 2.11.21
Actions #31

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 2.11.21 to 2.11.22
Actions #32

Updated by Vincent MEMBRÉ almost 8 years ago

  • Target version changed from 2.11.22 to 2.11.23
Actions #33

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 2.11.23 to 2.11.24
Actions #34

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 2.11.24 to 308
Actions #35

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 308 to 3.1.14
Actions #36

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 3.1.14 to 3.1.15
Actions #37

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 3.1.15 to 3.1.16
Actions #38

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 3.1.16 to 3.1.17
Actions #39

Updated by Vincent MEMBRÉ over 7 years ago

  • Target version changed from 3.1.17 to 3.1.18
Actions #40

Updated by Vincent MEMBRÉ about 7 years ago

  • Target version changed from 3.1.18 to 3.1.19
Actions #41

Updated by Benoît PECCATTE about 7 years ago

  • Tracker changed from Bug to User story
Actions #42

Updated by Vincent MEMBRÉ almost 7 years ago

  • Target version changed from 3.1.19 to 3.1.20
Actions #43

Updated by Vincent MEMBRÉ almost 7 years ago

  • Target version changed from 3.1.20 to 3.1.21
Actions #44

Updated by Vincent MEMBRÉ almost 7 years ago

  • Target version changed from 3.1.21 to 3.1.22
Actions #45

Updated by Benoît PECCATTE over 6 years ago

  • Assignee deleted (Benoît PECCATTE)
Actions #46

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 3.1.22 to 3.1.23
Actions #47

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 3.1.23 to 3.1.24
Actions #48

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 3.1.24 to 3.1.25
Actions #49

Updated by Benoît PECCATTE over 6 years ago

  • Target version changed from 3.1.25 to 4.1.9
Actions #50

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 4.1.9 to 4.1.10
Actions #51

Updated by Benoît PECCATTE about 6 years ago

  • Target version changed from 4.1.10 to Ideas (not version specific)
Actions #52

Updated by Alexis Mousset about 2 years ago

This won’t be added to that technique, please use the technique editor for that. If you are missing some capabilities in it, please open a ticket for that need.

Actions #53

Updated by Alexis Mousset about 2 years ago

  • Status changed from Discussion to Rejected
Actions

Also available in: Atom PDF