Bug #17051

Zen's SSH public key is not configured in lizard's dropbear

Added by zen 2019-09-13 11:51:00 . Updated 2019-10-18 07:33:06 .

Status:
Resolved
Priority:
High
Assignee:
intrigeri
Category:
Infrastructure
Target version:
Start date:
Due date:
% Done:

0%

Feature Branch:
Type of work:
Sysadmin
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

Today we had to reboot Lizard and I couldn’t login into dropbear for unlocking the encrypted disk. We have to:

  • Verify/confirm that my key is indeed not configured in dropbear and included the initramfs.
  • Fix whatever is wrong in case the key is really not there.
  • Adjust the onboarding documentation in case a step is missing there.

Subtasks


Related issues

Blocks Tails - Feature #13242: Core work: Sysadmin (Maintain our already existing services) Confirmed 2017-06-29

History

#1 Updated by zen 2019-09-13 11:51:23

  • Description updated

#2 Updated by intrigeri 2019-09-13 12:01:08

  • Priority changed from Normal to High
  • Target version set to Tails_4.0

(Zen Fu just started a few weeks of sysadmin shifts and it would be nice if he was able to reboot lizard himself :)

#3 Updated by intrigeri 2019-09-16 09:10:51

  • Assignee changed from Sysadmins to intrigeri

I’m on it!

#4 Updated by intrigeri 2019-09-16 09:48:34

  • Status changed from Confirmed to Needs Validation
  • Assignee changed from intrigeri to zen

zen wrote:
> * Verify/confirm that my key is indeed not configured in dropbear and included the initramfs.

Confirmed. /etc/dropbear-initramfs/authorized_keys was last updated in 2017. It included keys that should not have access (anymore) so while I was at it, I’ve removed them.

> * Fix whatever is wrong in case the key is really not there.
> * Adjust the onboarding documentation in case a step is missing there.

We simply had no process to update /etc/dropbear-initramfs/authorized_keys. I’ve implemented (Puppet + onboarding doc) the cheapest possible thing to ensure we at least update it when we onboard a new sysadmin.
I’ll push the onboarding doc once sysadmin.git is repaired ⇒ @zen, once you’ve reviewed the Puppet bits and repaired sysadmin.git, please reassign to me :)

Note that what I did does not cover sysadmin rotating their SSH keys (I can think of several ways to fix that but not today), nor removing access for a sysadmin (although if we follow the onboarding doc and revert everything we should be good).

#5 Updated by intrigeri 2019-09-16 12:53:09

> I’ll push the onboarding doc once sysadmin.git is repaired

Now done, so you can review these bits at the same time as the Puppet changes :)

#6 Updated by intrigeri 2019-09-19 06:08:55

  • blocks Feature #13242: Core work: Sysadmin (Maintain our already existing services) added

#7 Updated by zen 2019-10-17 20:52:01

  • Assignee changed from zen to intrigeri

I see the keys in place, I think the onboarding doc is enough for now, and I have reviewed the puppet code and it looks good. I haven’t tested it, though, but we’ll have an opportunity soon.

I’m reassigning to you because you asked to.

#8 Updated by intrigeri 2019-10-18 07:33:06

  • Status changed from Needs Validation to Resolved

Hi zen,

> I see the keys in place, I think the onboarding doc is enough for now, and I have reviewed the puppet code and it looks good. I haven’t tested it, though, but we’ll have an opportunity soon.

Great!

> I’m reassigning to you because you asked to.

(That was only because I could not push the updated onboarding doc to sysadmin.git that was broken back then, but it was quickly fixed and you’ve reviewed those bits too ⇒ closing.)