Skip to content

klam-ssh support for CoreOS#187

Open
eadasiak wants to merge 29 commits into
adobe-platform:masterfrom
eadasiak:master
Open

klam-ssh support for CoreOS#187
eadasiak wants to merge 29 commits into
adobe-platform:masterfrom
eadasiak:master

Conversation

@eadasiak

@eadasiak eadasiak commented May 3, 2016

Copy link
Copy Markdown

This adds support for klam-ssh on CoreOS.

The klam-ssh.sh script in v3/setup installs the pre-reqs:

  1. A replacement for /etc/nsswitch.conf that includes the libnss_ato library method for passwd, shadow, and group
  2. The klam-ssh.conf file in /opt/klam/lib
  3. The libnss_ato shared library in /opt/klam/lib64, and the ld.so.conf.d config for that file path
  4. Reconfigures the linker cache
  5. Adds the klamfed user (all klam-ssh users are squashed to this user)
  6. Adds sudo support for klamfed
  7. Moves supporting scripts into place in /opt/klam/lib
  8. Appends config to the sshd_config file for the AuthorizedKeysCommand

The authorizedkeys_command.sh script runs the klam-ssh docker container to get the user's ssh key from S3

The downloadS3.sh script runs the klam-ssh docker container to get the list of authorized klam-ssh users via S3.

Let me know if you have any questions. Next stop -- the bastion host!

Comment thread v3/setup/klam-ssh.sh Outdated

if [[ $REGION == "eu-west-1" ]]; then
KEY_LOCATION="-ew1"
elif [[ $REGION == "ap-northeast-1" ]]; then

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we make this list accessible to the widest swath of regions, or is unnecessary?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, I was limited to the regions where klam-ssh is configured. Version 2.0 of klam-ssh will be more widely available, and will get addressed with its release.

@matthewdfuller

Copy link
Copy Markdown
Contributor

This is doing some crazy stuff, but if it works...

@matthewdfuller

Copy link
Copy Markdown
Contributor

@eadasiak once this is merged, will regular SSH logins stop working?

Comment thread v3/util/authorizedkeys_command.sh Outdated
ENCRYPTION_KEY=$(etcdctl get /klam-ssh/ENCRYPTION_KEY)
ROLE_NAME=$(etcdctl get /klam-ssh/ROLE_NAME)
KEY_LOCATION_PREFIX=$(etcdctl get /klam-ssh/KEY_LOCATION_PREFIX)
IMAGE=$(etcdctl get /images/klam-ssh)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

'images/klam-ssh should be set (as a default) in v3/setup/klam-ssh.sh

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I see your point. I was relying on the configs from the infrastructure repo to do this instead. I've set a default value in v3/setup/klam-ssh.sh

eadasiak added 4 commits May 4, 2016 14:12
uses who -m instead of \u in the command prompt.  Since users are
squashed to a single user (klamfed) via libnss_ato, everyone except for
core had a prompt of 'klamfed@…'

killed off klam.sh since it doesn’t really work in CoreOS
@eadasiak

eadasiak commented May 4, 2016

Copy link
Copy Markdown
Author

@matthewdfuller: As long as the infrastructure stack still provides a mechanism to provide an ssh key, then the core user will still be able to log in.

Comment thread v3/setup/klam-ssh.sh
bootparams: files
automount: files nisplus
aliases: files nisplus
EOT

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So much cleaner! :)

@matthewdfuller

Copy link
Copy Markdown
Contributor

👍

Comment thread v3/setup/klam-ssh.sh
cat /etc/ssh/sshd_config

# Change ownership of authorizedkeys_command
chown root:root /home/core/mesos-systemd/v3/util/authorizedkeys_command.sh

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

huh...does this actually work? And why is this needed?

@eadasiak

Copy link
Copy Markdown
Author

@chr0n1x @matthewdfuller - I found a few bugs with the original implementation, and have checked in the fixes. In particular, the klam-ssh setup script being called before etcd on the hosts was ready. To fix that, I've moved the script from /setup to /util, and modified the init script to call it explicitly. I've also added a helper script that a user can call to configure their local ssh config so that they connect to internal hosts through the bastion with klam support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants