Page MenuHomePhabricator

Provide a generic SSH public key store for users
Closed, WontfixPublic

Description

We're currently discussing how to restrict access to bastion machines in production (not on the Phabricator tier, but the production system of our product). We want to be able to provide access to bastion machines based on assigning users in Phabricator to projects / tags. Ideally we want to be able to write a script on all of the bastion machines that updates the /root/.ssh/authorized_keys file on a regular basis and synchronises the public keys of users in Phabricator with that file (or alternatively, use the authorized keys command like Phabricator itself does).

Right now Phabricator provides an SSH public key store in the form of SSH keys associated with a user's account. This is almost what we need, but we can't designate some keys as "Git access for Phabricator" and other keys as "Production bastion keys". Obviously we don't want to be in a scenario where a user is using the same SSH key to access Git as they are to access bastion machines in production.

Alternatively we could use Passphrase, but there's no API for automatically creating passphrase entries, and the creation process would be clunky for a user to do manually - not only do they need to create / generate the key in Passphrase, but they also need to set the policies so the bastion machines can view the public components of the keys, and then they'd probably have to do some additional thing to put their username in the description field or something? So that the bastion machines know who is being authorized? Although this is possible, I think it'd be far easier for everyone if we could just use the current SSH public key store for users.

Ultimately our goal is to not only restrict who has access to the bastion machines, but also insert an command= option so that we can explicitly log the username of the person connecting into the system audit logs.

Event Timeline

After further investigation, we might just be able to tell users to set the "Name" field of the key that they want to use for production bastion access. I hadn't previously realised that this field was editable by clicking on the key in the "SSH Public Keys" pane.

SSH keys only got half-upgraded to modern stuff in T10917, but we could finish that at some point and let you tag them with projects -- roughly the same as renaming them, but a little more formal.

It would also be nice to let users mark keys in use like this as having no permissions (and ideally let you query/enforce this, I guess with command=echo To use this key as a bastion access key, set the Phabricator permissions to "none". or whatever. Some sort-of-related discussion in T7303, since whatever kind of permissions we pursue likely apply to OAuth tokens and API tokens too.

epriestley triaged this task as Wishlist priority.Jul 8 2016, 11:34 AM
epriestley added a project: Auth.
epriestley claimed this task.

This might happen eventually, or as a side effect of T7303, but the use case here is pretty narrow and there's currently no customer interest so I don't currently anticipate building it.