Opened 10 years ago

Last modified 6 years ago

#1756 assigned Bug/Something is broken

How should we updated user's authorized keys files on a monkeysphere enabled server?

Reported by: https://id.mayfirst.org/jamie Owned by: https://id.mayfirst.org/jamie
Priority: Low Component: Tech
Keywords: monkeysphere Cc:
Sensitive: no

Description

Currently, june.mayfirst.org is running the Monkeysphere, a system for managing SSH identities using GPG.

As ticket #1773 demontrates - when a user drops in their ssh key into the authorized_keys file, it doesn't start working automatically. Instead it has to wait for a person with root privileges to run the monkeysphere-server update-users command.

Currently that runs once a day. Even if we ran it once an hour, though, it would still cause confusion for users who should reasonably expect their authorized_keys file to start working right away.

Change History (11)

comment:1 Changed 10 years ago by https://id.mayfirst.org/jamie

Woops - that should say #1753.

comment:2 Changed 10 years ago by https://id.mayfirst.org/jamie

There's an upstream ticket on monkeysphere on this issue:

https://labs.riseup.net/code/issues/show/499

comment:3 Changed 10 years ago by https://id.mayfirst.org/jackaponte

Hey Jamie - does the monkeysphere-server update-users command really run once a day? Because while working on the seacoastoutright account on june recently, I could've sworn that it took more than a day for the SSH key to work (didn't pay enough attention to give you an exact timeframe, though.) What time does the command run?

comment:4 Changed 10 years ago by https://id.mayfirst.org/jamie

Hi Jack,

It's in /etc/cron.daily on june - which should run every day at 6:25 am.

Judging from the last modified dates in /var/lib/monkeysphere/authorized_keys - it looks like it can take a few hours to get through the daily cron jobs (there are a bunch of files with the same last modified date of 9:01 am).

Having said all of this - I've never actually tested it to see if it works. Maybe we should test?

Also - are you sure it was seacoastoutright? They seem to be on albizu, not june.

jamie

comment:5 Changed 9 years ago by https://id.mayfirst.org/malloryk

I'm not sure if this was recently fixed as per #2156.

I've just attempted to modify authorized_keys to add a new user, but it's still behaving as before: I'm still prompted for a password.

comment:6 Changed 9 years ago by https://id.mayfirst.org/jamie

Thanks for following up on this ticket Mallory. It does look like, based on #2156, that the update script might not have been working properly, but now dkg has fixed it.

It still only runs once a day - so unless you run:

monkeysphere-authentication update-users

as root, users have to wait until the next day for the cron job to take care of it.

jamie

comment:7 Changed 9 years ago by https://id.mayfirst.org/ross

I'm running into this problem on julia user = 79dev. I have the monkeysphere but cannot use either the monkeysphere nor ssh authorized_keys to create an immediate passwordless login.

Is there a way for me to use my gpg key to validate my login id immediately? If not, this seems to be a problem with the monkeysphere generally (i.e. what's the point of a 'web of trust' that creates less trust?). If there is a way, then we need more explicit instructions somewhere on the support site.

I am, of course, happy to use the monkeysphere. But it should create less labor for us rather than more.

ross

comment:8 Changed 9 years ago by https://id.mayfirst.org/jamie

Yeah - this is a drag. I just ran the command manually for you so you should be able to get in now. I don't know how to solve this short of fixing the upstream bug... which I just haven't been able to devote time to :(.

jamie

comment:9 Changed 9 years ago by https://id.mayfirst.org/jamie

See related #2686

comment:10 Changed 6 years ago by https://id.mayfirst.org/mahood

  • Resolution set to fixed
  • Status changed from new to feedback

Jamie,

Does the solution to #2686 resolve this ticket as well? or is there a better solution to seek?

~mahood

comment:11 Changed 6 years ago by https://id.mayfirst.org/jamie

  • Priority changed from Medium to Low
  • Resolution fixed deleted
  • Status changed from feedback to assigned

I'd like to keep this open as a low priority ticket. I think a lot of admins add their key manually to .ss/authorized_keys and it's annoying for it to not work.

jamie

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.