[MediaWiki-commits] [Gerrit] operations/puppet[production]: keyholder: public keys publicly readable

2017-08-03 Thread Filippo Giunchedi (Code Review) 
Filippo Giunchedi has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/369817 )

Change subject: keyholder: public keys publicly readable
..


keyholder: public keys publicly readable

As we add more identities to keyholder, we're beginning to run up
against the `MaxAuthTries` limit for sshd server. We can get around this
in scap by passing an explicit identityfile for ssh.

Ssh documentation seems to suggest that identityfiles are meant to be
private keys; however, it seems that it is actually reading the public
key files associated with a private key when a private key is passed as
an identityfile. Public keys passed as identityfiles work fine in
openssh.

These public keys are already available to anyone who has read access to
the keyholder proxy sock (everyone with ssh access to tin - which is
how I was able to test the modified scap command). This change just
makes the public read of public keys more explicit.

This change is needed for scap patch in phabricator: D733

Bug: T172333
Change-Id: Ic09e544fd8532785967673c65de905df44bd958a
---
M modules/keyholder/manifests/agent.pp
1 file changed, 1 insertion(+), 1 deletion(-)

Approvals:
  Paladox: Looks good to me, but someone else must approve
  jenkins-bot: Verified
  Filippo Giunchedi: Looks good to me, approved



diff --git a/modules/keyholder/manifests/agent.pp 
b/modules/keyholder/manifests/agent.pp
index dc260cf..f7d5eb2 100644
--- a/modules/keyholder/manifests/agent.pp
+++ b/modules/keyholder/manifests/agent.pp
@@ -61,7 +61,7 @@
 show_diff => false,
 owner => 'root',
 group => 'keyholder',
-mode  => '0440',
+mode  => '0444',
 }
 
 # generate the mapping between groups and keys. Used by ssh-agent-proxy

-- 
To view, visit https://gerrit.wikimedia.org/r/369817
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ic09e544fd8532785967673c65de905df44bd958a
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Thcipriani 
Gerrit-Reviewer: Chad 
Gerrit-Reviewer: Dzahn 
Gerrit-Reviewer: Filippo Giunchedi 
Gerrit-Reviewer: Paladox 
Gerrit-Reviewer: jenkins-bot <>

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] operations/puppet[production]: keyholder: public keys publicly readable

2017-08-02 Thread Thcipriani (Code Review) 
Thcipriani has uploaded a new change for review. ( 
https://gerrit.wikimedia.org/r/369817 )

Change subject: keyholder: public keys publicly readable
..

keyholder: public keys publicly readable

As we add more identities to keyholder, we're beginning to run up
against the `MaxAuthTries` limit for sshd server. We can get around this
in scap by passing an explicit identityfile for ssh.

Ssh documentation seems to suggest that identityfiles are meant to be
private keys; however, it seems that it is actually reading the public
key files associated with a private key when a private key is passed as
an identityfile. Public keys passed as identityfiles work fine in
openssh.

These public keys are already available to anyone who has read access to
the keyholder proxy sock (everyone with ssh access to tin - which is
how I was able to test the modified scap command). This change just
makes the public read of public keys more explicit.

This change is needed for scap patch in phabricator: D733

Bug: T172333
Change-Id: Ic09e544fd8532785967673c65de905df44bd958a
---
M modules/keyholder/manifests/agent.pp
1 file changed, 1 insertion(+), 1 deletion(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/17/369817/1

diff --git a/modules/keyholder/manifests/agent.pp 
b/modules/keyholder/manifests/agent.pp
index dc260cf..f7d5eb2 100644
--- a/modules/keyholder/manifests/agent.pp
+++ b/modules/keyholder/manifests/agent.pp
@@ -61,7 +61,7 @@
 show_diff => false,
 owner => 'root',
 group => 'keyholder',
-mode  => '0440',
+mode  => '0444',
 }
 
 # generate the mapping between groups and keys. Used by ssh-agent-proxy

-- 
To view, visit https://gerrit.wikimedia.org/r/369817
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ic09e544fd8532785967673c65de905df44bd958a
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Thcipriani 

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits