Bug #17051: Zen's SSH public key is not configured in lizard's dropbear

Bug #17051

Zen's SSH public key is not configured in lizard's dropbear

Added by zen 2019-09-13 11:51:00 . Updated 2019-10-18 07:33:06 .

Status:

Resolved

Priority:

High

Assignee:

intrigeri

Category:

Infrastructure

Target version:

Tails_4.0

Start date:

Due date:

% Done:

Feature Branch:

Type of work:

Sysadmin

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

Today we had to reboot Lizard and I couldn’t login into dropbear for unlocking the encrypted disk. We have to:

Verify/confirm that my key is indeed not configured in dropbear and included the initramfs.
Fix whatever is wrong in case the key is really not there.
Adjust the onboarding documentation in case a step is missing there.

Subtasks

Related issues

Blocks Tails - Feature #13242: Core work: Sysadmin (Maintain our already existing services)

Confirmed

2017-06-29

History

#1 Updated by zen 2019-09-13 11:51:23

Description updated

#2 Updated by intrigeri 2019-09-13 12:01:08

Priority changed from Normal to High
Target version set to Tails_4.0

(Zen Fu just started a few weeks of sysadmin shifts and it would be nice if he was able to reboot lizard himself :)

#3 Updated by intrigeri 2019-09-16 09:10:51

Assignee changed from Sysadmins to intrigeri

I’m on it!

#4 Updated by intrigeri 2019-09-16 09:48:34

Status changed from Confirmed to Needs Validation
Assignee changed from intrigeri to zen

zen wrote:
> * Verify/confirm that my key is indeed not configured in dropbear and included the initramfs.

Confirmed. /etc/dropbear-initramfs/authorized_keys was last updated in 2017. It included keys that should not have access (anymore) so while I was at it, I’ve removed them.

> * Fix whatever is wrong in case the key is really not there.
> * Adjust the onboarding documentation in case a step is missing there.

We simply had no process to update /etc/dropbear-initramfs/authorized_keys. I’ve implemented (Puppet + onboarding doc) the cheapest possible thing to ensure we at least update it when we onboard a new sysadmin.
I’ll push the onboarding doc once sysadmin.git is repaired ⇒ @zen, once you’ve reviewed the Puppet bits and repaired sysadmin.git, please reassign to me :)

Note that what I did does not cover sysadmin rotating their SSH keys (I can think of several ways to fix that but not today), nor removing access for a sysadmin (although if we follow the onboarding doc and revert everything we should be good).

#5 Updated by intrigeri 2019-09-16 12:53:09

> I’ll push the onboarding doc once sysadmin.git is repaired

Now done, so you can review these bits at the same time as the Puppet changes :)

#6 Updated by intrigeri 2019-09-19 06:08:55

blocks Feature #13242: Core work: Sysadmin (Maintain our already existing services) added

#7 Updated by zen 2019-10-17 20:52:01

Assignee changed from zen to intrigeri

I see the keys in place, I think the onboarding doc is enough for now, and I have reviewed the puppet code and it looks good. I haven’t tested it, though, but we’ll have an opportunity soon.

I’m reassigning to you because you asked to.

#8 Updated by intrigeri 2019-10-18 07:33:06

Status changed from Needs Validation to Resolved

Hi zen,

> I see the keys in place, I think the onboarding doc is enough for now, and I have reviewed the puppet code and it looks good. I haven’t tested it, though, but we’ll have an opportunity soon.

Great!

> I’m reassigning to you because you asked to.

(That was only because I could not push the updated onboarding doc to sysadmin.git that was broken back then, but it was quickly fixed and you’ve reviewed those bits too ⇒ closing.)