DescriptionLuigi Tamagnone
2021-11-23 12:23:48 UTC
Description of problem:
In our documentation, there is no information about the rotation of ssh key.
As a best practice, the ssh key should rotate. In our official documentation[1] we mention fernet key and password rotation but nothing about ssh key rotation.
On RHOSP16.2 we have:
- heat-admin ssh key on undercloud that is present on all overcloud nodes as authorized_keys under /home/heat-admin/.ssh/authorized_keys
- heat-admin ssh key on undercloud that is present on all overcloud nodes as authorized_keys under /root/.ssh/authorized_keys
- Generated by TripleO ssh key that is present on all overcloud node as authorized_keys under /home/tripleo-admin/.ssh/authorized_keys
- tripleo-admin ssh key that seems not present on overcloud nodes.
From upstream doc[2] it seems we should care only about the heat-admin key on heat-admin overcloud user. We should review it and write in our official documentation.
Additional info:
[1] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.2/html-single/security_and_hardening_guide/index
[2] https://docs.openstack.org/project-deploy-guide/tripleo-docs/latest/post_deployment/update_undercloud_ssh_keys.html