Skip to content

profiles/cluster Get SSH authorized_keys from cirrus

André Breda requested to merge ist189409/nixrnl:cluster-cirrus-ssh into master

Description of changes

This MR restores behavior from the old Gentoo/Ubuntu setup: OpenSSH considers authorized_keys{,2} files from the user's home in cirrus.

Unlike accepting keys from AFS, this does not require users to relax permissions on their .ssh directory (we control GlusterFS, so we can read any file without special permission), which can potentially lead them to expose private keys by accident.

This is a useful addition, because cluster users do not need AFS at all, but need to SSH into borg (and lab machines for debugging) all the time.

It is arguably bad to make SSH into labs machines easy (because it could disturb cluster jobs), but this concern is better addressed by other means (e.g. draining all nodes while sessions are active in them, creating fake jobs representing user sessions, denying any non-root SSH session in PAM if jobs are active in the machine, etc.). A user that is savvy enough to use this mechanism is likely to also not want to disturb cluster workloads anyway.

Things done

  • [-] Tested
    • it's the script from ansible, so kinda
  • Updated documentation (Wiki/NetBox)
  • Breaking change

Merge request reports