klam-ssh support for CoreOS #187
Conversation
|
|
||
| if [[ $REGION == "eu-west-1" ]]; then | ||
| KEY_LOCATION="-ew1" | ||
| elif [[ $REGION == "ap-northeast-1" ]]; then |
There was a problem hiding this comment.
should we make this list accessible to the widest swath of regions, or is unnecessary?
There was a problem hiding this comment.
Unfortunately, I was limited to the regions where klam-ssh is configured. Version 2.0 of klam-ssh will be more widely available, and will get addressed with its release.
|
This is doing some crazy stuff, but if it works... |
|
@eadasiak once this is merged, will regular SSH logins stop working? |
| ENCRYPTION_KEY=$(etcdctl get /klam-ssh/ENCRYPTION_KEY) | ||
| ROLE_NAME=$(etcdctl get /klam-ssh/ROLE_NAME) | ||
| KEY_LOCATION_PREFIX=$(etcdctl get /klam-ssh/KEY_LOCATION_PREFIX) | ||
| IMAGE=$(etcdctl get /images/klam-ssh) |
There was a problem hiding this comment.
'images/klam-ssh should be set (as a default) in v3/setup/klam-ssh.sh
There was a problem hiding this comment.
Ah, I see your point. I was relying on the configs from the infrastructure repo to do this instead. I've set a default value in v3/setup/klam-ssh.sh
uses who -m instead of \u in the command prompt. Since users are squashed to a single user (klamfed) via libnss_ato, everyone except for core had a prompt of 'klamfed@…' killed off klam.sh since it doesn’t really work in CoreOS
|
@matthewdfuller: As long as the infrastructure stack still provides a mechanism to provide an ssh key, then the core user will still be able to log in. |
| bootparams: files | ||
| automount: files nisplus | ||
| aliases: files nisplus | ||
| EOT |
|
👍 |
| cat /etc/ssh/sshd_config | ||
|
|
||
| # Change ownership of authorizedkeys_command | ||
| chown root:root /home/core/mesos-systemd/v3/util/authorizedkeys_command.sh |
There was a problem hiding this comment.
huh...does this actually work? And why is this needed?
This reverts commit 0d8aa6f.
This will generate the correct ssh config file for a user’s workstation to connect through the bastion to the internal hosts
|
@chr0n1x @matthewdfuller - I found a few bugs with the original implementation, and have checked in the fixes. In particular, the klam-ssh setup script being called before etcd on the hosts was ready. To fix that, I've moved the script from /setup to /util, and modified the |
This adds support for klam-ssh on CoreOS.
The klam-ssh.sh script in v3/setup installs the pre-reqs:
The authorizedkeys_command.sh script runs the klam-ssh docker container to get the user's ssh key from S3
The downloadS3.sh script runs the klam-ssh docker container to get the list of authorized klam-ssh users via S3.
Let me know if you have any questions. Next stop -- the bastion host!