Opened 6 years ago

Closed 6 years ago

#3004 closed task (fixed)

No passwords anywhere

Reported by: dustin Owned by:
Priority: major Milestone: sys - on-bb-infra
Version: Keywords:
Cc:

Description (last modified by dustin)

Shared passwords suck. When people come and go, you have to change them. It's a nightmare.

Proposal:

  • SSH key access for admins to named accounts (dustin, amar, mss, etc.) on each host [DONE]
  • passwordless sudo access
    • ALL for admins [DONE]
    • jexec <appropriate jail> sh for non-admins with access to a single jail
  • No root logins via SSH
  • Root password locked or at least unknown to anyone

I'd be happy to add a free 2FA provider to this to complement the SSH keys -- but let's do that once the baseline is in place.

Change History (14)

comment:1 Changed 6 years ago by skelly

Addition to the final bullet: FreeBSD has a root and a toor user.

comment:2 Changed 6 years ago by sa2ajj

  • Priority changed from minor to major
  • Version 0.8.9 deleted

+1

comment:3 Changed 6 years ago by sa2ajj

passwordless sudo access for admins is there.

Last edited 6 years ago by sa2ajj (previous) (diff)

comment:4 Changed 6 years ago by dustin

  • Description modified (diff)

ssh keys, too.

Amar and I know the root password -- we should change that to something more complex, using Ansible.

comment:5 Changed 6 years ago by sa2ajj

Do we want to do anything else as part of 'this' ticket?

comment:6 Changed 6 years ago by dustin

Yes:

  • PermitRootLogin no
  • Change root password (it's pretty weak right now)

We can move this part to another bug if desired:

  • 'sudo jexec $somejail' access for limited-scope admins (this would be good for e.g., list admins, slave admins, metabuildbot admins)

comment:7 Changed 6 years ago by skelly

Re: your last point. From the FreeBSD handbook chapter on jails is this warning.

While it is not possible for a jailed process to break out on its own, there are several ways in which an unprivileged user outside the jail can cooperate with a privileged user inside the jail to obtain elevated privileges in the host environment.

comment:8 Changed 6 years ago by sa2ajj

PermitRootLogin -- I'll submit a PR in a minute.

Change root password -- I think you should change change it to something you/Amar know.

sudo jexec ... -- I think it's a good idea to move it (I'll do that).

comment:9 Changed 6 years ago by dustin

Maybe we should plan to cross that bridge when we come to it. I'd be willing to either limit to a binary 'full admin access' and 'no shell access'; or to accept the risk of jailbreaking on the assumption that limited-scope admins are reasonably trustworthy but isolated from accidentally doing harm.

comment:10 Changed 6 years ago by sa2ajj

re root: PR

comment:11 Changed 6 years ago by sa2ajj

Created a ticket re sudo jexec ...: #3069

comment:12 Changed 6 years ago by sa2ajj

Updated and merged PR#20 for disabling root login via ssh.

Last edited 6 years ago by sa2ajj (previous) (diff)

comment:13 Changed 6 years ago by dustin

PermitRootLogin no was added in e1d91165003856b73fef9f5f3bd99c525a0ef838.

https://github.com/buildbot/buildbot-infra/pull/30 handles setting the root pw

comment:14 Changed 6 years ago by dustin

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.