Should I Reuse Device Keys?
OpenPublic
Actions

Asked by joshuaspence on Oct 14 2015, 11:31 PM.

Details

When registering a Drydock host with Almanac, it is possible to reuse a key across multiple devices with the --allow-key-reuse flag. I am unclear on whether this is a good idea however. That is, should I be creating a unique keypair for each Almanac device or is it fine to reuse the same key?

Answers

epriestley
Updated 3,404 Days Ago
Actions

I wouldn't recommend reusing the key across devices (and I think we'll probably remove that flag eventually).

What you can do is create a "virtual device" which has the key. For example, if you have repo001, repo002, etc., you could create a repo device, put the key on that, and then all your "physical devices" will just connect as that virtual device. This is a little odd and feels like it probably isn't the right long-term approach, but today there's no real distinction between which devices are connecting, so it's fine to just use one device as the list of authorized keys. We currently do this in the Phacility cluster -- all the daemons connect as daemons.phacility.net.

Once you hit a use case for distinguishing between tiers or devices (which might never happen) you can go split the key apart into separate keys per tier or separate keys per device.

Event Timeline

Sorry, I don't quite follow...

joshuaspence added a comment.Oct 15 2015, 2:47 AM

This comment was removed by joshuaspence.

So it's fine to reuse a key across multiple hosts which are registering as the same Almanac device, but I shouldn't reuse that key for different Almanac devices?

Right. If you put it on multiple devices, we can't choose a single identity when you try to do anything with that key. I don't actually remember why we're even allowing that at all and suspect it's some legacy stuff from an early draft that no longer makes any sense.

Just wanted to clarify as I'm not entirely sure that I understand... So we currently have a puppet role named phabricator_worker which runs phd daemons. As a step in our puppet scripts, we basically run /usr/src/phabricator/bin/almanac register --device=worker.phabricator.example.com --private-key=/path/to/private.key.

The idea is that may have more than one phabricator_worker instance, but that the instances will always register with Almanac as the worker.phabricator.example.com device. My understanding thus far is that this should be fine because we don't need to distinguish phabricator_worker hosts from one another. This would not be the case for hosts which are serving repositories however, because Almanac would need to be able identify the repository hosts in order to know where/how to proxy VCS commands to the host.

Currently, if I attempt to spin up a second phabricator_worker host, then the /usr/src/phabricator/bin/almanac register --device=worker.phabricator.example.com --private-key=/path/to/private.key command fails with:

Usage Exception: The public key corresponding to the given private key is already associated with the device. If you do not want to use a unique key, use --allow-key-reuse to permit reassociation.

My workaround for this is to add --allow-key-reuse. Alternatively, I could create separate devices in Almanac, but that is a bit of a pain.

Should I Reuse Device Keys?OpenPublicActions

Details

Event Timeline

Answers

epriestleyUpdated 3,404 Days AgoActions

Event Timeline

New Answer

Answer

Should I Reuse Device Keys?
OpenPublic
Actions

epriestley
Updated 3,404 Days Ago
Actions