| *** luigi is now known as luigi-training | 06:39 | |
| *** luigi-training is now known as luigi | 06:39 | |
| *** rlandy is now known as rlandy|ruck | 11:15 | |
| *** sshnaidm|off is now known as sshnaidm | 11:38 | |
| rawtaz | uhm, so.. the openstack tf provider only lets you specify one key pair name when creating an instance. is there no way to put multiple public keys on the instance, without i dunno, scripting stuff? | 14:10 |
|---|---|---|
| lowercase | you could have a resource that copies the file to the user's authorized keys files | 14:13 |
| lowercase | or, consider if SSH certificates would be right for you | 14:13 |
| rawtaz | hmm i dont think i heard of ssh *certificates* before :O | 14:15 |
| rawtaz | yeah, copying a file using e.g. remote-exec or something i take it you mean. seems like a hack though. but i suppose theres nothing in openstack that can provision multiple keys using the "standard" arguments of e.g. tf? | 14:16 |
| lowercase | https://blog.habets.se/2011/07/OpenSSH-certificates.html | 14:16 |
| rawtaz | im just surprised. a bastion host for example, or any other hosts for that matter, is pretty common to have more than one key, so i was surprised to find that this argument only takes one key | 14:16 |
| rawtaz | thanks, gonna look | 14:16 |
| lowercase | They're a bit tricky to get right, but I have only one key I deploy everywhere. The whole team is able to auth with the ssh cert to the server, even tho it only has one key. | 14:17 |
| rawtaz | so im reading this but its a lot to digest - may i meanwhile ask; if you want to add say another team member, do you then have to recreate the cert or what does the provisioning process look like for another user/member when you already have an ssh cert in place for existing ones, for example for a bastion host? | 14:20 |
| lowercase | I, admin, place a ssh public certificate on the remote server. SSH server then trusts the public cert. I,admin, want to grant bob access. Bob, provides me his ssh public key. I, admin, use the ssh private certificate and sign bob's public key. Bob's public key now contains 1) the ability to auth against his own public ssh key. 2) the ability to auth against any ssh server that trusts the ssh certificate. | 14:21 |
| lowercase | The ssh private cert signs as many public keys as you are willing to trust. | 14:21 |
| rawtaz | i see. so the added data is with the new user, hence theres no need for further action on the server. thats pretty neat. seems a bit complex to set up though, but ill keep reading :) | 14:24 |
| rawtaz | thanks for the tip, i might have heard about it at some point but never ever looked into it even if thats the case | 14:24 |
| lowercase | SSH certificates also come with a handy feature. 1) I can grant Bob's ssh certificate the ability to log in as multiple users. Bob is a sysadmin, so I want his to be able to use the username, bob, ubuntu, centos, and root. Jason, only needs access to jason's account. I sign jason's public key with the private ssh certificate and assign the only permitted username, jason. | 14:24 |
| lowercase | 2) The ssh certificate is only valid coming from certain IP ranges. For example, requiring the use of a bastion host in order to use the ssh cert. | 14:25 |
| lowercase | These two are optional of course. | 14:25 |
| lowercase | They're are a number more features you gain over traditional ssh keys, but they are more obscure use cases you will find if you need them. | 14:26 |
| rawtaz | aha. for that you'd use two ssh certs, one for the bastion allowing access from multiple sources, and one for e.g. an internal server where you only allow access from the bastion host? | 14:26 |
| lowercase | 1 ssh cert that signs Bob's key with the requirement of a certian ip address | 14:27 |
| rawtaz | however, what about revocation - if you want to revoke bob's access? is there a CRL or similar so that you can publish that bob's cert is no longer valid, and the server where the ssh cert public part is placed checks this CRL every connection? | 14:27 |
| lowercase | CRL is valid | 14:27 |
| lowercase | I will tell you a pitfall that we fell into, is that we didn't serialize our signed certs. So when we needed to revoke a cert we accidentally revoked everyones. tl;dr Make sure you serialized your certs | 14:28 |
| rawtaz | haha ok :D | 14:29 |
| lowercase | yeah, everyone had serial number 0 or something lol | 14:29 |
| rawtaz | hehe | 14:29 |
| lowercase | oh, and ssh certs can be valid for lengths of time. We have our certs to expire every 6 months. If you don't need a new cert or don't ask for one. It just doesn't get generated. | 14:30 |
| rawtaz | but there is a CRL then? so to revoke bob's access you publish his cert in a CRL? | 14:30 |
| rawtaz | yeah thats great | 14:30 |
| lowercase | Best part. Everyone's cert is stored in a git repo and is public. No one can use it because the user's ssh private key is still required. | 14:31 |
| lowercase | Uh, you publish the serial number of bob's cert to the CRL | 14:31 |
| rawtaz | yeah. ok, thanks | 14:32 |
| rawtaz | well this was interesting. hmm hmm | 14:32 |
| rawtaz | you just shaved another day or two off my life :P | 14:32 |
| lowercase | in this one case, a x509 CRL is exactly like a SSH cert | 14:32 |
| lowercase | *ssh cert;s CRL | 14:33 |
| rawtaz | yeah | 14:33 |
| *** rlandy|ruck is now known as rlandy|ruck|mtg | 14:54 | |
| rawtaz | lowercase: thanks, i have to run but will make use of your information at some point! | 15:47 |
| * rawtaz & | 15:47 | |
| *** ncuxo_ is now known as ncuxo | 16:17 | |
| lowercase | I posted this question in #openstack-oslo, but im hoping someone here can help. | 16:29 |
| lowercase | Hello, I have a question regarding oslo.log, I would like to impliment the fluent logger found here: https://docs.openstack.org/oslo.log/latest/admin/example_nova.html however, copying those steps are not working for me. My config looks like this: https://pastebin.com/treiZd2m OS: ubuntu 20.04.03, Openstack: Wallaby, fluent-logger: installed, 0.10.0 | 16:29 |
| lowercase | I am able to confirm fluent-logger is working as expected by writing a few lines of python and sending a test message to a netcat listener. So i can atleast confirm the fluent-logger is present and functioning. | 16:29 |
| *** rlandy|ruck|mtg is now known as rlandy|ruck | 16:31 | |
| frickler | rawtaz: if you create the keypair from a public key file, it can contain multiple keys | 17:14 |
| admin1 | rawtaz,if you grow big, you deploy something like freeipa/ or a jumphost where all users ssh first, and then from jumphost ssh to the internal servers .. only the jumphost keys are in the server and no one elses .. else if you add access of everyone to everywhere, when people leave, you will have a hard time managing that | 19:45 |
| admin1 | but you can also pass multiple keys using cloud-init script during creation | 19:46 |
| *** rlandy|ruck is now known as rlandy|ruck|biab | 22:51 | |
| *** rlandy|ruck|biab is now known as rlandy|ruck | 23:13 | |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!