On Monday, January 14, 2013 at 21:59, Mark Van De Vyver wrote:
On Tue, Jan 15, 2013 at 10:47 AM, Mark Van De Vyver < "> > wrote:lusis and kevin keane have interesting suggestions/observations. Itend to agree that this is outside the scope of Chef though someelements of the following can be Chefified (Cooked?). Mike suggestionsare related but the data can be read by anyone in the instance withaccess to http://169.254.169.254/latest/user-dataI think Shlomo Swidler has covered this issue best[0]. TLDR:The Autoscaling requirement adds a wrinkle to the use of two signed(short expiry) s3 urls (one the encrypted credentials and the othercontaining the decryption key); the autoscaling launch config wouldneed to be constantly updated with current URLs, some may be happy toscript this periodic change but it has risks that an AMI fires up withan expired URL in its userdata.My suggestion would be to create an EBS with the encrypted private keyon it, and mount this at startup[1]. This is a superior approach toburning the encrypted key into an AMI. There are several options rehandling the decryption key:- passed in via signed URL (AS launch config needs to be updated, seeabove caveat re expiry)- create a public s3 url that is unguessable (cf signed url with noexpiry) and periodically update the AS launch config (now no instanceshould AS launch without access to the decryption key), deleting theold decryption key 'url' once AS launch config is changed. This URLshould also only be readable by an aws user whose sole permission+roleis to authenticate(via url)+decrypt private key. This user should beable to be managed by IAM , previously you'd create an AWS user withno permissions to incur charges (i.e. no credit card provided)Of course your instance start-up script must clean up after itself toremove traces of what it has done. The only remnant will be theunguessable/signed (changed/expired) decrypt key URL in the user data.HTH?PS I should have added that ideally the decrypted ssh key is stored insome ramdisk area so that it does not survive an instance reboot.RegardsMarkOn Tue, Jan 15, 2013 at 12:41 AM, Mike < "> > wrote:Late to the game.Have you explored using the instance launch user-data to write out your certs?i.e.#!/bin/bash -eexec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1echo BEGINdate '+%Y-%m-%d %H:%M:%S'mkdir -p /etc/chefcat <<- _EOF_<YOUR CLIENT.RB CONFIG>_EOF_/etc/chef/client.rbcat <<- _EOF_<YOUR VALIDATION PEM FILE>_EOF_/etc/chef/validation.pemcat <<- _EOF_<YOUR SSH KEY HERE>_EOF_> /path/to/private/ssh/key(if your AMI doesn't have chef installed, install it via omnibus:)curl -L https://www.opscode.com/chef/install.sh | bash/etc/init.d/chef-client startecho ENDThis is effectively the `knife bootstrap` process, executed by yourEC2 AutoScaler. This works with most "vetted" AMI images that do thefun 'cloud-init' and all that jazz.On Mon, Jan 14, 2013 at 5:02 AM, Cassiano Leal < "> > wrote:Since I want to auto-scale these nodes, I'll have to keep the validation.pemin the AMI that will be used to boot up. That's one of the solutions that Ithough -- store the SSH key in the AMI.I understand the security implications of copying SSH keys around or leavingthem in an image on the Amazon cloud, but I still fail to see a bettersolution. The fact that no alternative covering my requirements haveappeared in this thread makes me all the more confident that I'm not doingsomething too crazy.Recapitulating requirements:- Auto-scaling -- this is the key point- New nodes automatically register themselves on the chef server andconverge- Newly auto-scaled nodes are able to clone/update from git repos:* on the first chef run* no manual copy of SSH keys to the node* no manual authorisation of a new key on bitbucketI guess the better question would be: how are people auto-scaling chefnodes?On 11 January 2013 22:38, Dan Razzell < "> > wrote:+1As Kevin pointed out yesterday, there's something essentially upside-downabout your PKI if you're copying private keys around.On 13-01-11 04:31 PM, Kevin Keane (subscriptions) wrote:I see two options for that:- Upload the SSH key at the same time you bootstrap the new instance. Youcould even add that to a custom bootstrap script, to copy it along with thevalidation.pem- Regularly, say, every 30 minutes, run a knife search and upload the SSHkey to each server it finds.-----Original message-----From: Cassiano Leal < "> >Sent: Fri 01-11-2013 04:18 amSubject: [chef] Re: Re: RE: Distribute private ssh keys via users cookbookTo: "> ;All perfectly good points. How do I deal with auto-scaling, though? I don'treally want to be woken up in the middle of the night just because sitetraffic has peaked and more servers are spinning up so that I can SCP aprivate key to each new server. :)- cassianoOn Friday, January 11, 2013 at 02:18, Kevin Keane (subscriptions) wrote:I see where you are coming from! In this type of scenario, I would probablystep outside the Chef setup.The security problem in Chef ultimately arises because you allow the clientsto *pull* the private keys. As a result, a hacker can potentially simply useHTTP to download your databag, or even sniff the data going over the wire.Databag encryption, client.pem and validation.pem are all protections, butthey can't compete (and aren't designed to compete) with establishedsecurity mechanisms such as SSH, PGP, ...So maybe Chef isn't the best tool for this particular job?I would instead use SCP to copy your private key from a single secure serverto wherever they need to go. The big advantage is that because it is apush-based system, you have full control over which machines do the SSH keysget copied to.-----Original message-----From: Cassiano Leal < "> >Sent: Thu 01-10-2013 04:23 amSubject: [chef] Re: RE: Distribute private ssh keys via users cookbookTo: "> ;Hi Kevin,Thanks for sharing your thoughts. Let me describe my scenario and what I'mtrying to accomplish.I have VMs that spin up automatically on AWS. These VMs host severalapplications, most written in PHP and RoR. The source code for all the appsresides on bitbucket Git repos.I'm setting up application deployment via the deploy resource [0]. For that,I have created a "deploy" user through the users cookbook, but I need thisuser to have read-only access to the repos. For that, I have a bitbucketuser with read-only access and I need to configure this user with the publickeys, and that's done on bitbucket website.If I create a new key pair on each VM, I'll have to manually authorise thenew key on the bitbucket website so that the application can be deployed.That would completely defeat auto-scaling and would make my life a bitworse, specially on peak times. :)I understand the security implications of this approach, but I still find itall that much better than having to manage potentially infinite key pairs ona website. This key would have read only access to our repos, and if I findout that it has been compromised all I need to do is revoke it on bitbucket,create a new key pair and redistribute it.I can do that on a recipe manually, but it would be just a bit easier andmore concise if it was possible via the users cookbook.Also, it beats me why the cookbook allows me to distribute private keys viaan unencrypted data bag [1], and has no secure-ish solution for that.Again, I'm open for hearing other solutions to this problem. If they're moresecure, all the better, as long as it doesn't make me go to bitbucket.organd insert a new pubkey each time I spin up a new server. :)[1]- cassianoOn Thursday, January 10, 2013 at 09:51, Kevin Keane (subscriptions) wrote:It seems to me that there might be a problem with what you are trying toaccomplish in the first place. When you distribute private SSH keys through*any* means, you have a security problem. Doesn't matter if you are usingencrypted databags, or even manually copy the keys over. Unless they areyour own personal keys, it defeats the very concept behind public keyencryption - and if they *are* your personal keys, you should only manuallycopy them, not put them in an automated distribution system.Once generated, private SSH keys should never leave that user's control. Youcan use chef to distribute the corresponding public keys - and you don'teven need an encrypted databag. Public keys are not sensitive; you can leavethem unencrypted.If your users are humans, have them generated their SSH key pairs, andcreate a databag with all the public keys that you want to distribute. Hint:the users cookbook already has a mechanism built in to do that.If you need SSH key pairs for some automated tasks (say, a cron script doinga nightly rsync), generate a *new* key pair, and store only the public keyin a node attribute. You can use an execute or script resource to generatethe key pair; just make sure to check if the key may already exist (youdon't want to clobber an already-existing key pair).On the SSH client side, you'd extract all the relevant public keys from yourdatabag or node attributes, and add them to the authorized_keys file asneeded.-----Original message-----From: Cassiano Leal < "> >Sent: Wed 01-09-2013 11:40 amSubject: [chef] Distribute private ssh keys via users cookbookTo: "> ;Hi!Is there a way to securely distribute private ssh keys through the userscommunity cookbook?In my setup I have a user deploy that will fetch from git, and I need thatuser to have a SSH key that's authorized on the git repo. I saw that theusers cookbook will use "ssh_private_key" and "ssh_public_key" data bagitems, but those would be unencrypted, so not secure.If people are using a different approach, I'd like to hear about that too.Thanks!--Cassiano Leal
Archive powered by MHonArc 2.6.16.