Actions
Bug #4989
closed[Deployment] Switchyard should behave correctly when one SSH key has access to multiple VMs using different usernames.
Story points:
0.5
Description
There's a lack of coordination between switchyard and the API server's authorized_keys table that can lead to a situation like this:
If a user has been given login permission to different hosts with the same SSH key, but with different usernames, e.g. if alice logs in as alice to some VMs but bob to others:
tail_uuid: qr1hi-tpzed-alice head_uuid: qr1hi-2x53u-shellvmalpha link_class: permission name: can_login properties: {'username': 'alice'} tail_uuid: qr1hi-tpzed-alice head_uuid: qr1hi-2x53u-shellvmbeta link_class: permission name: can_login properties: {'username': 'bob'}
... switchyard may not choose the correct username for the VM in question, and may e.g. attempt to authenticate alice to 'shellvmalpha' as bob rather than alice.
We should decide on which policy we want:- Users must use the same username for each host that shares a single SSH key
- Users may log in to different VMs with different usernames, even if reusing the SSH key
and make sure the policy is implemented properly in software.
Actions