[tor-bugs] #33868 [Internal Services/Tor Sysadmin Team]: fabric (incorrectly) asumes User root ssh_config

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Apr 14 19:38:52 UTC 2020 

#33868: fabric (incorrectly) asumes User root ssh_config
-------------------------------------------------+-------------------------
 Reporter:  anarcat                              |          Owner:  anarcat
     Type:  defect                               |         Status:  closed
 Priority:  Low                                  |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Major                                |     Resolution:  fixed
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):

 * status:  accepted => closed
 * resolution:   => fixed


Comment:

 I have set `user = 'root'` in `tsa_misc/fabric.py` but because Fabric's
 ~/.ssh/config support *overrides* the configuration set there, it was
 still not working for some specific hosts where i had `User anarcat` set.

 the workaround I used there was to change the `purpose` field of
 `pauli.torproject.org` to `puppet.torproject.org`. This, in turn, added
 `puppet.torproject.org` to the `ssh_known_hosts` file generated by ud-ldap
 and distributed everywhere. so now I can have this `~/.ssh/config`
 configuration:

 {{{
 # interact as a normal user with Puppet and LDAP servers by default
 Host puppet.torproject.org db.torproject.org
   User anarcat

 Host *.torproject.org
   UserKnownHostsFile ~/.ssh/known_hosts.torproject.org
   User root
   VerifyHostKeyDNS ask

 # use jump host if the network is not in the trusted whitelist
 Match host *.torproject.org, !host perdulce.torproject.org, exec "!
 trusted-network"
   ProxyJump anarcat at perdulce.torproject.org
 }}}

 and connecting to (say) `pauli.torproject.org` will still login as `root`.

 i have still hardcoded the `root@` account for `puppet.torproject.org` in
 the source code defaults for that reason.

 i think this should be good enough for now.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33868#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list