tripleo devtest scripts modify ~/.ssh/authorized_keys
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Won't Fix
|
High
|
Unassigned |
Bug Description
This is done for two reasons:
A) We use 'local-config', which copies said authorized keys file into images, to permit sshing into the seed, which we need to do to run init-keystone.
B) We need the virtualpowermanager to be able to ssh into the host to do VM operations, so we set this up as part of making a local test environment.
For A) we add the users own id_rsa.pub (Which user-setup for the undercloud and overcloud use directly). This could be any key at all - and we're opening the user up to having their host ssh'd into.
For B) we use the private key for the test environment we're created.
We can mitigate A by using the public key for the test environment in question (as we always have it's private key) instead of ~/.authorized_keys [and tell the user how to log into the seed], and we can mitigate B by use the ci-command command limiting script to lockdown incoming SSH to only doing [fairly] harmless things.
We're no longer using devtest.