Actions
Bug #4989
closed
[Deployment] Switchyard should behave correctly when one SSH key has access to multiple VMs using different usernames.
Story points:
0.5
Description
There's a lack of coordination between switchyard and the API server's authorized_keys table that can lead to a situation like this:
If a user has been given login permission to different hosts with the same SSH key, but with different usernames, e.g. if alice logs in as alice to some VMs but bob to others:
tail_uuid: qr1hi-tpzed-alice
head_uuid: qr1hi-2x53u-shellvmalpha
link_class: permission
name: can_login
properties: {'username': 'alice'}
tail_uuid: qr1hi-tpzed-alice
head_uuid: qr1hi-2x53u-shellvmbeta
link_class: permission
name: can_login
properties: {'username': 'bob'}
... switchyard may not choose the correct username for the VM in question, and may e.g. attempt to authenticate alice to 'shellvmalpha' as bob rather than alice.
We should decide on which policy we want:- Users must use the same username for each host that shares a single SSH key
- Users may log in to different VMs with different usernames, even if reusing the SSH key
and make sure the policy is implemented properly in software.
Updated by Tom Clegg about 9 years ago
- Subject changed from [API] enforce username restrictions on ssh keys to [Deployment] Switchyard should behave correctly when one SSH key has access to multiple VMs using different usernames.
- Category changed from API to Deployment
- Assigned To set to Ward Vandewege
Updated by Brett Smith about 9 years ago
- Target version changed from Bug Triage to 2015-02-18 sprint
Updated by Tom Clegg about 9 years ago
- Target version changed from 2015-02-18 sprint to Arvados Future Sprints
Updated by Ward Vandewege almost 5 years ago
- Status changed from New to Resolved
Updated by Tom Morris over 4 years ago
- Target version deleted (
Arvados Future Sprints)
Actions