ssh-key should be generated on fly, not to use public one

[ikke-t]

This is "looks bad security habbit" -kinda issue, but it hurts me see we share private ssh key in github. We should generate the key for the first user, and keep inserting the key everywhere by ansible.

E.g: Run ssh-keygen on the tower machine, register and print it to local file. Then push it to all the machines for student users.

[mglantz]

Well it's not a bad habbit, I think it's just us prioritizing usability instead of security I think. It makes things easier for setting up the lab, easier to troubleshoot systems, and so on. Eg. this is an Ansible lab and not a demo/lab of how to secure an automated setup of RHEL on AWS ;) We would then do things a lot different I think.

If we're to do this..
There is no connection from the tower servers to the managed systems, we provision the tower servers and managed systems separately, without them being associated. We could use tags in EC2 to associate a tower server with clients systems and then based on tags:

• Generate key on tower with tag 123, register and print to local file
• Push keys to managed systems with tag 123

Benefits:

• One tower can only manage it's managed systems
• 0 risk of outside hackers compromising environment

Cons:

• Less robust install, you need to keep a connection to the install base for the duration of the install, pushing the key to 900 managed systems will take some time. As it is, you only need to be online for 3-4 minutes and then the install happens in AWS.
• Tiny bit more secure, but the risk of someone getting the key from git, managing to scan the systems in an ongoing lab is not really high. But if security is a concern, we have bigger fish to fry I think. Such as credentials for the systems. Highest risk is that a student messes with other students. But unique keys won't save you then.
• More lock-in to AWS

[mglantz]

I've added 73a200f to underscore that the security design is on purpose.

[mglantz]

To improve security a bit, I've commited 4c220df

[ikke-t]

You have good points, and explaining that in readme is good. The proper ssh keys would only make sense if we create them unique per registrant, and e.g. send it via mail to each participant, along with unique pwd and other env. info. That would be then much more complicated, and future item.

[mglantz]

Mmm. If we're to avoid students being able to access other students systems, e-mail is probably the only way I guess. Or is there some other way? Put the information in automatically generated password protected pastebins which has limited live? If someone doesn't have access to their e-mail, we could log studentX: pastebin.com/aspldfpl so that we can pull out the info on site.

[mglantz]

If generation and distribution of key all happens via the tower-install.yml playbook, then it won't have any impact on installation time. I suggest we solve it there.

[mglantz]

tower-install.yml get's dropped off via https://github.com/mglantz/ansible-roadshow/blob/master/content/scripts/tower-prep.sh currently, to ease testing of differents branches and because pulling the playbook from github was failing quite often.

[mglantz]

Change needs to be integrated into lab-7 where Tower is configured for access to systems. https://github.com/mglantz/ansible-roadshow/blob/master/labs/lab-7/README.md