Administrator.
- [[file:Secret/ssh_monkey/][=Secret/ssh_monkey/=]] :: The key pair used by Monkey to update the
website on Front (and other unprivileged tasks).
- - [[file:Secret/ssh_front/][=Secret/ssh_front/=]] :: The host key pair used by Front to
- authenticate itself. The automatically generated key pair is
- /not/ used. (Thus Core's configuration does not depend on
- Front's.)
The institute uses a couple X.509 certificates to authenticate
servers. They are created by the EasyRSA Certificate Authority stored
: notebook$ rm admin_keys
: notebook$
-The Ansible configuration expects certain host keys on the new front.
-The administrator should install them now, and deal with the machine's
-change of SSH identity. The following commands copied the host keys
-in =Secret/ssh_front/= to the droplet and restarted the SSH server.
-
-: notebook$ ( cd Secret/ssh_front/etc/ssh/;
-: notebook_ scp ssh_host_* sysadm@159.65.75.60: )
-: notebook$ ssh sysadm@159.65.75.60
-: sysadm@ubuntu$ chmod 600 ssh_host_*
-: sysadm@ubuntu$ chmod 644 ssh_host_*.pub
-: sysadm@ubuntu$ sudo cp -b ssh_host_* /etc/ssh/
-: sysadm@ubuntu$ sudo systemctl restart ssh
-: sysadm@ubuntu$ logout
-: notebook$ ssh-keygen -f ~/.ssh/known_hosts -R 159.65.75.60
-
-The last command removed the old host key from the administrator's
-=known_hosts= file. The next few commands served to test
-password-less login as well as the privilege escalation command
-~sudo~.
The Droplet needed a couple additional software packages immediately.
The ~wireguard~ package was needed to generate the Droplet's private
: notebook$ ssh root@159.65.75.60
: root@159.65.75.60: Permission denied (publickey).
: notebook$
+Finally, the new machine's ssh public host is copied to
+=private/front_ed25519_key.pub=.
+
+: notebook$ scp sysadm@$H:/etc/ssh/ssh_host_ed25519_key.pub \
+: notebook_ private/front_ed25519_key.pub
+: notebook$
At this point the droplet was ready for configuration by Ansible.
Later, provisioned with all of Front's services /and/ tested, the
groups: root,adm
#+END_SRC
-** Configure SSH
-
-The SSH service on Front needs to be known to Monkey. The following
-tasks ensure this by replacing the automatically generated keys with
-those stored in [[file:Secret/ssh_front/etc/ssh/][=Secret/ssh_front/etc/ssh/=]] and restarting the server.
-
-#+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml
-
-- name: Install SSH host keys.
- become: yes
- copy:
- src: ../Secret/ssh_front/etc/ssh/{{ item.name }}
- dest: /etc/ssh/{{ item.name }}
- mode: "{{ item.mode }}"
- loop:
- - { name: ssh_host_ecdsa_key, mode: "u=rw,g=,o=" }
- - { name: ssh_host_ecdsa_key.pub, mode: "u=rw,g=r,o=r" }
- - { name: ssh_host_ed25519_key, mode: "u=rw,g=,o=" }
- - { name: ssh_host_ed25519_key.pub, mode: "u=rw,g=r,o=r" }
- - { name: ssh_host_rsa_key, mode: "u=rw,g=,o=" }
- - { name: ssh_host_rsa_key.pub, mode: "u=rw,g=r,o=r" }
- notify: Reload SSH server.
-#+END_SRC
-
-#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml :mkdirp yes
----
-- name: Reload SSH server.
- become: yes
- systemd:
- service: ssh
- state: reloaded
- tags: actualizer
-#+END_SRC
-
** Configure Monkey
The small institute runs cron jobs and web scripts that generate
#+END_SRC
#+CAPTION: [[file:roles_t/front/handlers/main.yml][=roles_t/front/handlers/main.yml=]]
-#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml
-
+#+BEGIN_SRC conf :tangle roles_t/front/handlers/main.yml :mkdirp yes
+---
- name: Restart Postfix.
become: yes
systemd:
- name: Configure Monkey SSH known hosts.
become: yes
vars:
- pubkeypath: ../Secret/ssh_front/etc/ssh
- pubkeyfile: "{{ pubkeypath }}/ssh_host_ecdsa_key.pub"
- pubkey: "{{ lookup('file', pubkeyfile) }}"
+ pubkey: "{{ lookup('file', '../private/front_ed25519_key.pub') }}"
lineinfile:
- regexp: "^{{ domain_name }},{{ front_addr }} ecdsa-sha2-nistp256 "
+ regexp: "^{{ domain_name }},{{ front_addr }} ssh-ed25519 "
line: "{{ domain_name }},{{ front_addr }} {{ pubkey }}"
path: /home/monkey/.ssh/known_hosts
create: yes
mysystem "echo 'HashKnownHosts no' >Secret/ssh_monkey/config";
mysystem ("ssh-keygen -q -t rsa -C monkey\@core",
"-N '' -f Secret/ssh_monkey/id_rsa");
-
- mysystem "mkdir Secret/ssh_front";
- chmod 0700, "Secret/ssh_front";
- mysystem "ssh-keygen -A -f Secret/ssh_front -C $dom";
exit;
}
#+END_SRC
copied and executed thusly:
: notebook$ scp private/test-front-prep USER@SERVER:
-: notebook$ scp -r Secret/ssh_front/ USER@SERVER:
+: notebook$ scp -r private/front_ssh/ USER@SERVER:
: sysadm@front$ scp USER@SERVER:test-front-prep ./
-: sysadm@front$ scp -r USER@SERVER:ssh_front/ ./
: sysadm@front$ ./test-front-prep
The script starts by installing additional software packages. The
EOF
#+END_SRC
-Ansible expects ~front~ to use the SSH host keys in
-=Secret/ssh_front/=, so it is prepared with these keys in advance.
-(If Ansible installed them, ~front~ would change identities while
-Ansible was configuring it. Ansible would lose subsequent access
-until the administrator's =~/.ssh/known_hosts= was updated!)
+Ansible expects =private/front_ed25519_key.pub= to be the SSH host key
+in use on ~front~, so it is prepared with a set of test keys in
+advance. Doing so now avoids ~front~ changing identities while
+Ansible is configuring it (if Ansible were to install the test
+identities).
#+CAPTION: [[file:private/test-front-prep][=private/test-front-prep=]]
#+BEGIN_SRC sh :tangle private/test-front-prep
-( cd ssh_front/etc/ssh/
- chmod 600 ssh_host_*
- chmod 644 ssh_host_*.pub
- sudo cp -b ssh_host_* /etc/ssh/ )
+( cd front_ssh/; sudo cp -b ssh_host_* /etc/ssh/ )
#+END_SRC
With the preparatory script successfully executed, ~front~ is shut
projects / Institute / commitdiff