From a32f84b439b73149792bc51f9d4406b715b99a01 Mon Sep 17 00:00:00 2001 From: Clint Byrum Date: Wed, 3 May 2017 09:28:26 -0700 Subject: [PATCH] Revise security spec to discuss SSH keys We missed this in the first pass. We need to protect the private key to reduce the impact of any ansible-playbook escapes. Change-Id: Id7ef192f87fc665feb89629f1a8d0b75f9de5f9b --- specs/zuulv3-executor-security.rst | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/specs/zuulv3-executor-security.rst b/specs/zuulv3-executor-security.rst index 9b894de..ec0ac97 100644 --- a/specs/zuulv3-executor-security.rst +++ b/specs/zuulv3-executor-security.rst @@ -137,6 +137,33 @@ on it may be necessary to define per-job space limitations. Evaluation of methods of containment will assume that this change precedes or accompanies any implementation. +Access Credentials +------------------ + +We need to grant `ansible-playbook` the ability to access test nodes. +Since our only allowed Ansible connection method is SSH, we can +narrow this to SSH key access. Ideally we can allow the untrusted +`ansible-playbook` to use an SSH key to access test nodes without exposing +key material. + +SSH Agent +~~~~~~~~~ + +The executor already is configured for a path to an SSH private key file. +This file could be added into the contained chroot, but that would expose +the private key material to the untrusted playbook, which would allow +said malicious actor to log the key and use it to access other test +nodes as long as that SSH key is used. + +Instead we can use `ssh-agent` and expose the socket to the contained +`ansible-playbook`. Because `ssh-agent` only signs challenges, it will +mean that a malicious user will have to be able to do more than just log +the private key to make use of it, and their access to the key will end +when their access to `ssh-agent` ends. + +This will require making sure the socket is visible inside containment, +and passing in the environment necessary to help `ssh` find it. + Available Containment Methods -----------------------------