On 10/04/12 22:11, seth vidal wrote: > > Hi all, > > Need some feedback. Since I've been playing with/working on > ansible(http://ansible.github.com) it has raised some questions as to > what we will allow/not allow for setting up hosts. > > Here's what I'd like to do: > > 1. allow lockbox01-only and ssh-key-only access, as root, via ssh to > our systems. This would be an ssh key only on lockbox and owned by root > (or possibly by sysadmin-main or other localgroup - like the private > git repo). > > 2. have the root authorized_keys be available from > infrastructure.fedoraproject.org via http (restricted to the hosts we > allow, of course) > > 3. setup our kickstart %post to suck down these keys. > > This will enable me to streamline our installation process > considerably. Right now there are a number of manual steps in our > reinstall process. These manual steps are.... errorprone. I'd like to > eliminate them. > > > Right now we expose access to our systems via func - which is a daemon > running as root which auth's using the puppet ssl cert/keys from > lockbox01. The change to allowing ssh-in as root is not a considerably > larger attack surface. The only exception is that ssh is available to > various places for some of our systems, while func's ports are not. > > > I'd like to hear some thoughts on making this change. If no one objects > then I'll make this happen. > thanks, > > -sv > _______________________________________________ > infrastructure mailing list > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/infrastructure I must say, ansible does look interesting. Just the whole sshd thing kinda is a put off. But I will look into this a bit more the next days. But it does most certainly sound like a good effort (the start of). And Michael is once again involved in a very interesting project, that should turn out to be very useful indeed. Thanks for bringing this to our attention. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore@xxxxxxxxxxxxxxxxx _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
