Fixes #38499 - Introduce SSH cert support#10571
Fixes #38499 - Introduce SSH cert support#10571adamruzicka merged 1 commit intotheforeman:developfrom
Conversation
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
6b8cdbc to
7055907
Compare
adamlazik1
changed the title
adamlazik1
changed the title
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
7055907 to
af62efa
Compare
app/views/unattended/provisioning_templates/snippet/remote_execution_ssh_keys.erb
Outdated
Show resolved
Hide resolved
|
|
||
| mkdir -p /etc/ssh/sshd_config.d | ||
| echo 'TrustedUserCAKeys /etc/ssh/user-ca.pub' >/etc/ssh/sshd_config.d/60-user-ca.conf | ||
| systemctl restart sshd |
There was a problem hiding this comment.
I'm not sure you can always rely on being able to restart services. For example, I'm wondering about cloud-init.
There was a problem hiding this comment.
I am not too familiar with cloud-init. Are you referring to the fact that cloud-init may change service configuration or may manipulate with services while it runs? I tried to make the service restart a bit more robust, please tell me if it works or if I need to take some different precautions with regards to cloud-init .
app/views/unattended/provisioning_templates/snippet/remote_execution_ssh_keys.erb
Outdated
Show resolved
Hide resolved
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
7509605 to
c484790
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
2 times, most recently
from
fe302d4 to
86112b9
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
5 times, most recently
from
fc22a59 to
2e306fd
Compare
|
I will keep this in draft because there will be four PRs in total that should get merged at roughly the same time, but I do believe that this is now ready for review. |
app/views/unattended/provisioning_templates/snippet/remote_execution_ssh_keys.erb
Outdated
Show resolved
Hide resolved
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
2e306fd to
ac072d8
Compare
app/views/unattended/provisioning_templates/snippet/remote_execution_ssh_keys.erb
Outdated
Show resolved
Hide resolved
| command -v restorecon && restorecon -RvF /etc/ssh || true | ||
|
|
||
| # restart the sshd service | ||
| $(command -v cloud-init && cloud-init status --wait) >/dev/null 2>&1 || true |
There was a problem hiding this comment.
What would happen if this fired from within cloud-init?
There was a problem hiding this comment.
It took me a while to get my provisioning setup working, but I found out that while the command does not hang and appears to be executed, the sshd service is not restarted. Same thing happens when I do not include the cloud-init line altegether. Currently I am looking into other possible ways to restart the service within cloud-init.
adamlazik1
force-pushed
the
ssh-cert-support
branch
3 times, most recently
from
bff3e1a to
1fd7a96
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
1fd7a96 to
60c7201
Compare
|
Currently, this PR does not support configuring cert authentication on hosts that exist before the feature is enabled the smart proxy. Should I create a job template that could do this? It would have to be run before the ssh cert authentication is enabled on smart proxy. |
adamlazik1
force-pushed
the
ssh-cert-support
branch
3 times, most recently
from
88ecbe9 to
0c01c2c
Compare
|
Switching back to draft since the feature got postponed to 3.16 |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
0c01c2c to
fb5928f
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
2 times, most recently
from
6f91c61 to
ec694ec
Compare
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
ec694ec to
ec67b2a
Compare
lhellebr
left a comment
lhellebr
left a comment
There was a problem hiding this comment.
I have been able to verify the SSH CA cert feature as a complex of the following 4 PRs:
theforeman/smart_proxy_remote_execution_ssh#126
#10571
theforeman/foreman_remote_execution#977
theforeman/puppet-foreman_proxy#867
Including the following use cases:
SSH REX
Ansible REX
Pull mode REX
Cockpit
Including hosts created by:
Global registration
Provisioning
Including scenarios:
SSH CA on Satellite side
SSH CA on host side
SSH CA on both sides
Both positive scenarios and negative scenarios, that is incorrect CA, incorrect cert, incorrect principal.
=> ACK to this PR
|
@adamlazik1 does this still need to be a draft? |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
ec67b2a to
3dd32a3
Compare
|
/packit build |
adamlazik1
force-pushed
the
ssh-cert-support
branch
from
3dd32a3 to
0417d7b
Compare
adamruzicka
left a comment
adamruzicka
left a comment
There was a problem hiding this comment.
Looks reasonable, but let's hold it until the REX part goes in
|
Thank you @adamlazik1 ! |
4 participants
No description provided.