Bug 972969
Summary: | spacewalk-report ssh key should be locked down to only run reports | ||
---|---|---|---|
Product: | [Retired] Subscription Asset Manager | Reporter: | Chris Duryee <cduryee> |
Component: | Splice | Assignee: | James Slagle <jslagle> |
Status: | CLOSED ERRATA | QA Contact: | mkovacik |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 1.3 | CC: | bkearney, jmatthew, jslagle, vkuznets |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-10-01 10:55:58 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 833466 |
Description
Chris Duryee
2013-06-10 23:56:10 UTC
I think this can be solved with just documentation. I updated the user doc with the following text: For added security, restrict the user that logins with the ssh key to only running the spacewalk-report command. Do this by prepending the following to the key content in /root/.ssh/authorized_keys: command="/usr/bin/spacewalk-report $SSH_ORIGINAL_COMMAND" Added to line 75 in http://splice.pad.engineering.redhat.com/46 Going this route doesn't require any changes to sst. actually, I had to change sst to no longer specify to run the /usr/bin/spacewalk-report command since it's now confined to run that command in the authorized_keys file on the satellite server. commit aba924a3a65e0a7e60ee5d72ce5e2232cdff1546 Verified in spacewalk-splice-tool-0.24-1.el6sam.x86_64 However /etc/splice/checkin.conf still has spacewalk_reports=/usr/bin/spacewalk-report setting which is useless after the hardening (the setting is in ~/.ssh/authorized_keys now) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1390.html |