Canonical Juju

Juju needs support of rotating the juju-client-key

Bug #1951597 reported by Vladimir Grevtsev
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Canonical Juju
Triaged
Medium
Unassigned
Canonical Juju 3.1-rc3

Bug Description

$ juju --version
2.9.18-ubuntu-amd64

$ juju ssh-keys
Keys used in model: admin/ceph
cf:af:c7:f6:79:fc:cf:bd:b3:c3:40:95:8c:c5:a1:a2 (ubuntu@OrangeBox84)

$ juju ssh 0 -- cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9uo8INImVkKJy5KuI47/3gklL+3/upCoxw5ZMgXGsveNPBkP6EE3XvLKmAW9/YgDuUyZUg4ux9VMJ98QZvsq8toXobZ7Q2LccMz2VzxVetE7WSYdjk0DLWwHb1kZpJ9Xm+iew9xqTSU37b+V2SRPUjZflglmlGisG9eqHyn1sqRLIaWh3KqVNkfNvw6rMRhdcH3GHZ3TV8Ei6Ws7RvB5j80BhBp58UTqFhsWknNfshOe3BbZ3B1SQyFXfenRFYmhOGG2FO3IRWIhUTS9KaysrzVWK3B41TDlVuSKV9c6HyyeoPcgzMX1GThsDC9zqwcaAVq+kMHUfKyth7G34fFS5 Juju:juju-client-key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDarRU8LACFQpZv4g9exlS138Fa9wdN6R1T/oHYCW+yo1jpXuC0MMgkGSBNpWIKe3YphRreyQA/S9dh8osi+cf5O2Zfo7JOStjgGG7dOs/UWaZGm/npOjiVEuqAO/LR4hzEnizDSbWFVr0maY0YZfAHqF4lQZLmgxY/PXKB8ehlSdHrmz+FhVmwdDXBt+tSAYs6ufeGboaNqEM4wqY/gBZqdBX9fAFth1OXfRHYmPyBu3APhNh50NQ0Pa9ZmAQukgLvkjbA03R3Ua1BHbEdqtlW87RGsVxMljwABMNFVr1Ir6oK3thHqeBuuBY3AhtEmC3jN61mIW1uzXYiuv7MOMjJc7nNRnaSMsdlyV3YCJ5zuJ51R32iQWSh6Pto711BnhQfhRwsF3qx66fPhld/+a06pEeJOZZeRha7TPYXcgjoUAjET6Mvj++O0Ui5Xw7vj+/qzZLBPxI0oR1NR6aWW5yKDDTsdexZy/s7cT1LD+eJLZ5rwNt9YEBDGm89gzAb2sk= Juju:ubuntu@TestKey
Connection to 172.27.85.203 closed.

# note that we have two ssh keys here ^

$ juju remove-ssh-key ubuntu@TestKey
$ juju ssh-keys
No keys to display.

$ juju ssh 0 -- cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9uo8INImVkKJy5KuI47/3gklL+3/upCoxw5ZMgXGsveNPBkP6EE3XvLKmAW9/YgDuUyZUg4ux9VMJ98QZvsq8toXobZ7Q2LccMz2VzxVetE7WSYdjk0DLWwHb1kZpJ9Xm+iew9xqTSU37b+V2SRPUjZflglmlGisG9eqHyn1sqRLIaWh3KqVNkfNvw6rMRhdcH3GHZ3TV8Ei6Ws7RvB5j80BhBp58UTqFhsWknNfshOe3BbZ3B1SQyFXfenRFYmhOGG2FO3IRWIhUTS9KaysrzVWK3B41TDlVuSKV9c6HyyeoPcgzMX1GThsDC9zqwcaAVq+kMHUfKyth7G34fFS5 Juju:juju-client-key
Connection to 172.27.85.203 closed.

# ^ juju-client-key remains

$ juju remove-ssh-key juju-client-key
cannot remove key id "juju-client-key": may not delete internal key: juju-client-key

So, in fact, there is no way to rotate this key, in case it got compromised etc.

Revision history for this message
Harry Pidcock (hpidcock) wrote :

This would be useful for existing clusters when we drop rsa2048 generation re: https://bugs.launchpad.net/juju/+bug/1974132
As it would allow the user to for example `juju rotate-ssh-key juju-client-key`

Changed in juju:
importance: Undecided → Medium
milestone: none → 3.1-beta1
status: New → Triaged
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 3.1-beta1 → 3.1-rc1
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 3.1-rc1 → 3.1-rc2
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 3.1-rc2 → 3.1-rc3
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.