-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh-key should be generated on fly, not to use public one #68
Comments
Well it's not a bad habbit, I think it's just us prioritizing usability instead of security I think. It makes things easier for setting up the lab, easier to troubleshoot systems, and so on. Eg. this is an Ansible lab and not a demo/lab of how to secure an automated setup of RHEL on AWS ;) We would then do things a lot different I think. If we're to do this..
Benefits:
Cons:
|
I've added 73a200f to underscore that the security design is on purpose. |
To improve security a bit, I've commited 4c220df |
You have good points, and explaining that in readme is good. The proper ssh keys would only make sense if we create them unique per registrant, and e.g. send it via mail to each participant, along with unique pwd and other env. info. That would be then much more complicated, and future item. |
Mmm. If we're to avoid students being able to access other students systems, e-mail is probably the only way I guess. Or is there some other way? Put the information in automatically generated password protected pastebins which has limited live? If someone doesn't have access to their e-mail, we could log studentX: pastebin.com/aspldfpl so that we can pull out the info on site. |
If generation and distribution of key all happens via the tower-install.yml playbook, then it won't have any impact on installation time. I suggest we solve it there. |
tower-install.yml get's dropped off via https://github.com/mglantz/ansible-roadshow/blob/master/content/scripts/tower-prep.sh currently, to ease testing of differents branches and because pulling the playbook from github was failing quite often. |
Change needs to be integrated into lab-7 where Tower is configured for access to systems. https://github.com/mglantz/ansible-roadshow/blob/master/labs/lab-7/README.md |
This is "looks bad security habbit" -kinda issue, but it hurts me see we share private ssh key in github. We should generate the key for the first user, and keep inserting the key everywhere by ansible.
E.g: Run ssh-keygen on the tower machine, register and print it to local file. Then push it to all the machines for student users.
The text was updated successfully, but these errors were encountered: