Project

General

Profile

Feature #8617

Create / Use SSH Keys so that "root password" is not emailed.

Added by Tommy McNeely almost 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Difficulty:
Triaged:
No
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Digital Ocean supports the use of SSH Keys for authentication, and should be used instead of root passwords since they email the account admin the root password on each VM creation. I believe this is done for EC2, so it should be "adaptable" :)

Associated revisions

Revision a6f66dc3 (diff)
Added by Tom Caspy almost 7 years ago

fixes #8617 - adding ssh key pair integration for digital ocean

Revision bb981b80
Added by Tommy McNeely almost 7 years ago

Merge pull request #4 from unorthodoxgeek/8617

fixes #8617 - adding ssh key pair integration for digital ocean

History

#1 Updated by Tom Caspy almost 7 years ago

  • Assignee set to Tom Caspy

#2 Updated by Tom Caspy almost 7 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman-digitalocean/pull/2 added
  • Pull request deleted ()

I've tested this on my DO account and seems to work perfectly.
Do mind that this works just like EC2 - it automatically generates an ssh key for foreman to use when creating the compute resource, and saves the private key in the DB. It is unsafe to have this key on the machine, and it should be revoked by the config management, replaced by other keys, as the requirements may be.

#3 Updated by Tommy McNeely almost 7 years ago

Hmm, You have a point... I was trying to prevent the emailed root password because that is just horrible, but having the private key in the database, whether its encrypted, obfuscated, or in clear text is almost as bad. I do think that the SSH private key should be obfuscated some way in the database, but if someone steals the foreman database, and gets the SSH keys, they probably have the ability to decrypt them as well. Perhaps there should be an option to auto-remove the ssh key as part of a finish script? Obviously out of scope for this ticket.

I will have to take a look at this after work (unless Daniel has time)

#4 Updated by Anonymous almost 7 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF