Bug #17051
Zen's SSH public key is not configured in lizard's dropbear
0%
Description
Today we had to reboot Lizard and I couldn’t login into dropbear for unlocking the encrypted disk. We have to:
- Verify/confirm that my key is indeed not configured in dropbear and included the initramfs.
- Fix whatever is wrong in case the key is really not there.
- Adjust the onboarding documentation in case a step is missing there.
Subtasks
Related issues
Blocks Tails - Feature #13242: Core work: Sysadmin (Maintain our already existing services) | Confirmed | 2017-06-29 |
History
#1 Updated by zen 2019-09-13 11:51:23
- Description updated
#2 Updated by intrigeri 2019-09-13 12:01:08
- Priority changed from Normal to High
- Target version set to Tails_4.0
(Zen Fu just started a few weeks of sysadmin shifts and it would be nice if he was able to reboot lizard himself :)
#4 Updated by intrigeri 2019-09-16 09:48:34
- Status changed from Confirmed to Needs Validation
- Assignee changed from intrigeri to zen
zen wrote:
> * Verify/confirm that my key is indeed not configured in dropbear and included the initramfs.
Confirmed. /etc/dropbear-initramfs/authorized_keys
was last updated in 2017. It included keys that should not have access (anymore) so while I was at it, I’ve removed them.
> * Fix whatever is wrong in case the key is really not there.
> * Adjust the onboarding documentation in case a step is missing there.
We simply had no process to update /etc/dropbear-initramfs/authorized_keys
. I’ve implemented (Puppet + onboarding doc) the cheapest possible thing to ensure we at least update it when we onboard a new sysadmin.
I’ll push the onboarding doc once sysadmin.git is repaired ⇒ @zen, once you’ve reviewed the Puppet bits and repaired sysadmin.git, please reassign to me :)
Note that what I did does not cover sysadmin rotating their SSH keys (I can think of several ways to fix that but not today), nor removing access for a sysadmin (although if we follow the onboarding doc and revert everything we should be good).
#5 Updated by intrigeri 2019-09-16 12:53:09
> I’ll push the onboarding doc once sysadmin.git is repaired
Now done, so you can review these bits at the same time as the Puppet changes :)
#6 Updated by intrigeri 2019-09-19 06:08:55
- blocks Feature #13242: Core work: Sysadmin (Maintain our already existing services) added
#7 Updated by zen 2019-10-17 20:52:01
- Assignee changed from zen to intrigeri
I see the keys in place, I think the onboarding doc is enough for now, and I have reviewed the puppet code and it looks good. I haven’t tested it, though, but we’ll have an opportunity soon.
I’m reassigning to you because you asked to.
#8 Updated by intrigeri 2019-10-18 07:33:06
- Status changed from Needs Validation to Resolved
Hi zen,
> I see the keys in place, I think the onboarding doc is enough for now, and I have reviewed the puppet code and it looks good. I haven’t tested it, though, but we’ll have an opportunity soon.
Great!
> I’m reassigning to you because you asked to.
(That was only because I could not push the updated onboarding doc to sysadmin.git that was broken back then, but it was quickly fixed and you’ve reviewed those bits too ⇒ closing.)