Page MenuHomePhabricator

Deactivate SSH keys instead of destroying them completely
ClosedPublic

Authored by epriestley on May 18 2016, 4:46 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Nov 23, 2:50 AM
Unknown Object (File)
Fri, Nov 18, 2:11 AM
Unknown Object (File)
Wed, Nov 16, 4:00 PM
Unknown Object (File)
Sat, Nov 12, 3:41 PM
Unknown Object (File)
Fri, Nov 11, 6:21 PM
Unknown Object (File)
Fri, Nov 11, 6:19 PM
Unknown Object (File)
Thu, Nov 10, 11:18 PM
Unknown Object (File)
Thu, Nov 10, 12:37 PM
Subscribers
None

Details

Summary

Ref T10917. Currently, when you delete an SSH key, we really truly delete it forever.

This isn't very consistent with other applications, but we built this stuff a long time ago before we were as rigorous about retaining data and making it auditable.

In partiular, destroying data isn't good for auditing after security issues, since it means we can't show you logs of any changes an attacker might have made to your keys.

To prepare to improve this, stop destoying data. This will allow later changes to become transaction-oriented and show normal transaction logs.

The tricky part here is that we have a UNIQUE KEY on the public key part of the key.

Instead, I changed this to UNIQUE (key, isActive), where isActive is a nullable boolean column. This works because MySQL does not enforce "unique" if part of the key is NULL.

So you can't have two rows with ("A", 1), but you can have as many rows as you want with ("A", null). This lets us keep the "each key may only be active for one user/object" rule without requiring us to delete any data.

Test Plan
  • Ran schema changes.
  • Viewed public keys.
  • Tried to add a duplicate key, got rejected (already associated with another object).
  • Deleted SSH key.
  • Verified that the key was no longer actually deleted from the database, just marked inactive (in future changes, I'll update the UI to be more clear about this).
  • Uploaded a new copy of the same public key, worked fine (no duplicate key rejection).
  • Tried to upload yet another copy, got rejected.
  • Generated a new keypair.
  • Tried to upload a duplicate to an Almanac device, got rejected.
  • Generated a new pair for a device.
  • Trusted a device key.
  • Untrusted a device key.
  • "Deleted" a device key.
  • Tried to trust a deleted device key, got "inactive" message.
  • Ran bin/ssh-auth, got good output with unique keys.
  • Ran cat ~/.ssh/id_rsa.pub | ./bin/ssh-auth-key, got good output with one key.
  • Used auth.querypublickeys Conduit method to query keys, got good active keys.

Diff Detail

Repository
rP Phabricator
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

epriestley retitled this revision from to Deactivate SSH keys instead of destroying them completely.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: chad.
chad edited edge metadata.
This revision is now accepted and ready to land.May 18 2016, 9:32 PM
This revision was automatically updated to reflect the committed changes.