Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS - Private key (insecure) copy fails when ansible is ran as a regular user #139

Open
fee-mendes opened this issue Jul 4, 2022 · 1 comment · May be fixed by #141
Open

TLS - Private key (insecure) copy fails when ansible is ran as a regular user #139

fee-mendes opened this issue Jul 4, 2022 · 1 comment · May be fixed by #141

Comments

@fee-mendes
Copy link
Member

Seen at:

TASK [ansible-scylla-node : Copy the certificates into their proper locations] ************************************************************************************************************************************
changed: [172.31.23.8] => (item=./ssl/ca/testcluster-ca.crt)
changed: [172.31.23.8] => (item=./ssl/172.31.23.8/172.31.23.8.crt)
fatal: [172.31.23.8]: FAILED! => {"msg": "an error occurred while trying to read the file '/home/ubuntu/ssl/172.31.23.8/172.31.23.8.pem': [Errno 13] Permission denied: b'/home/ubuntu/ssl/172.31.23.8/172.31.23.8.pem'. [Errno 13] Permission denied: b'/home/ubuntu/ssl/172.31.23.8/172.31.23.8.pem'"}

As private keys are created with become: True these will naturally default to the root user:

ubuntu@ip-172-31-15-172:~$ ls -l /home/ubuntu/ssl/172.31.23.8/172.31.23.8.pem
-rw------- 1 root root 3243 Jul  4 01:10 /home/ubuntu/ssl/172.31.23.8/172.31.23.8.pem
ubuntu@ip-172-31-15-172:~$ sudo file /home/ubuntu/ssl/172.31.23.8/172.31.23.8.pem
/home/ubuntu/ssl/172.31.23.8/172.31.23.8.pem: PEM RSA private key
ubuntu@ip-172-31-15-172:~$

Therefore task Copy the certificates into their proper locations throws.

This issue should:

  • No longer generate keys as root under localhost
  • Ensure that private keys are copied with their correct permissions (600) as the convention is for many programs to fail when reading potentially insecure and exposed keys (Apache HTTPD & OpenSSH are some notable examples)
@fee-mendes fee-mendes changed the title TLS - Private key (insecure) copy fails ansible is ran as a regular user TLS - Private key (insecure) copy fails when ansible is ran as a regular user Jul 4, 2022
fee-mendes added a commit to fee-mendes/scylla-ansible-roles that referenced this issue Jul 4, 2022
@fee-mendes
Ansible Node - Enforce private key permission and bind permissions to…
275f22d 
… scylla user

When the source playbook is executed with `become: True` its relevant TLS certificates will be owned by root. This causes a problem, because later on when trying to copy we are unable to read the resulting private key file, as it is (correctly) created by default with mode 0600.

This commit let Ansible generate each PKI component with mode 0644. Then, ensure these are copied to the remote machine's with strict permissions to scylla user/group. Finally, ensure that the private key is only readable by its target user - both locally and remotely.

Fixes scylladb#139
@fee-mendes fee-mendes mentioned this issue Jul 4, 2022
Open
fee-mendes added a commit to fee-mendes/scylla-ansible-roles that referenced this issue Jul 4, 2022
@fee-mendes
Ansible Node - Enforce private key permission and bind permissions to…
e5862bf 
… scylla user

When the source playbook is executed with `become: True` its relevant TLS certificates will be owned by root. This causes a problem, because later on when trying to copy we are unable to read the resulting private key file, as it is (correctly) created by default with mode 0600.

This commit let Ansible generate each PKI component with mode 0644. Then, ensure these are copied to the remote machine's with strict permissions to scylla user/group. Finally, ensure that the private key is only readable by its target user - both locally and remotely.

Fixes scylladb#139
@fee-mendes fee-mendes linked a pull request Jul 4, 2022 that will close this issue
Open
fee-mendes added a commit to fee-mendes/scylla-ansible-roles that referenced this issue Jul 5, 2022
@fee-mendes
Ansible Node - Enforce private key permission and bind permissions to…
854c02d 
… scylla user

When the source playbook is executed with `become: True` its relevant TLS certificates will be owned by root. This causes a problem, because later on when trying to copy we are unable to read the resulting private key file, as it is (correctly) created by default with mode 0600.

This commit let Ansible generate each PKI component with mode 0644. Then, ensure these are copied to the remote machine's with strict permissions to scylla user/group. Finally, ensure that the private key is only readable by its target user - both locally and remotely.

Fixes scylladb#139
@stefanofornari
Copy link

What's the status of this issue? it looks like quite old and I have the same issue with latest version.
Also, is there a temporarily workaround?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@stefanofornari @fee-mendes