Page MenuHomePhabricator
Differential D10878

Allow device SSH keys to be trusted
ClosedPublic
Actions

Authored by epriestley on Nov 19 2014, 10:35 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Apr 12, 11:04 PM
Unknown Object (File)
Thu, Apr 11, 7:43 PM
Unknown Object (File)
Thu, Apr 4, 2:30 AM
Unknown Object (File)
Wed, Mar 20, 7:41 PM
Unknown Object (File)
Mar 9 2024, 5:29 PM
Unknown Object (File)
Feb 8 2024, 10:13 AM
Unknown Object (File)
Feb 8 2024, 10:13 AM
Unknown Object (File)
Feb 8 2024, 10:12 AM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Maniphest Tasks
T6240: Implement Conduit request signing for host-to-host calls
Commits
Restricted Diffusion Commit
rP5e0f218fe480: Allow device SSH keys to be trusted
Summary

Ref T6240. Some discussion in that task. In instance/cluster environments, daemons need to make Conduit calls that bypass policy checks.

We can't just let anyone add SSH keys with this capability to the web directly, because then an adminstrator could just add a key they own and start signing requests with it, bypassing policy checks.

Add a bin/almanac trust-key --id <x> workflow for trusting keys. Only trusted keys can sign requests.

Test Plan
  • Generated a user key.
  • Generated a device key.
  • Trusted a device key.
  • Untrusted a device key.
  • Hit the various errors on trust/untrust.
  • Tried to edit a trusted key.

Screen_Shot_2014-11-19_at_2.34.54_PM.png (143×976 px, 31 KB)

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley updated this revision to Diff 26124.Nov 19 2014, 10:35 PM
epriestley retitled this revision from to Allow device SSH keys to be trusted.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added a task: T6240: Implement Conduit request signing for host-to-host calls.
Herald added a subscriber: epriestley. · View Herald TranscriptNov 19 2014, 10:35 PM
Harbormaster completed remote builds in B3098: Diff 26124.Nov 19 2014, 10:36 PM
epriestley updated this revision to Diff 26126.Nov 19 2014, 10:41 PM
  • Fix a pht() string to print information more clearly.
Harbormaster completed remote builds in B3100: Diff 26126.Nov 19 2014, 10:41 PM
btrahan accepted this revision.Nov 19 2014, 10:43 PM
btrahan edited edge metadata.
This revision is now accepted and ready to land.Nov 19 2014, 10:43 PM
Closed by commit rP5e0f218fe480: Allow device SSH keys to be trusted (authored by epriestley, committed by epriestley). · Explain WhyNov 21 2014, 1:33 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

Diff 26152

View Options

resources/sql/autopatches/20141119.sshtrust.sql

Loading...
View Options

src/__phutil_library_map__.php

Loading...
View Options

src/applications/almanac/controller/AlmanacDeviceViewController.php

Loading...
View Options

src/applications/almanac/management/AlmanacManagementRegisterWorkflow.php

Loading...
View Options

src/applications/almanac/management/AlmanacManagementTrustKeyWorkflow.php

Loading...
View Options

src/applications/almanac/management/AlmanacManagementUntrustKeyWorkflow.php

Loading...
View Options

src/applications/almanac/storage/AlmanacDevice.php

Loading...
View Options

src/applications/almanac/util/AlmanacConduitUtil.php

Loading...
View Options

src/applications/auth/controller/PhabricatorAuthSSHKeyEditController.php

Loading...
View Options

src/applications/auth/controller/PhabricatorAuthSSHKeyGenerateController.php

Loading...
View Options

src/applications/auth/sshkey/PhabricatorSSHPublicKeyInterface.php

Loading...
View Options

src/applications/auth/storage/PhabricatorAuthSSHKey.php

Loading...
View Options

src/applications/auth/view/PhabricatorAuthSSHKeyTableView.php

Loading...
View Options

src/applications/conduit/controller/PhabricatorConduitAPIController.php

Loading...
View Options

src/applications/people/storage/PhabricatorUser.php

Loading...
Phabricator · Built by Phacility