Changes between Version 9 and Version 10 of decommission_kvm


Ignore:
Timestamp:
May 10, 2013, 12:26:21 PM (6 years ago)
Author:
Ross
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • decommission_kvm

    v9 v10  
    77== Revoke all Known Published Host keys ==
    88
    9 '''TODO''': cleanup steps for doing so
     9=== Key re-vocation should be two steps: ===
     10{{{
     11monkeysphere-host revoke-key
     12}}}
    1013
    11 Instructions from irc
     14That revokes the server's ssh monkeysphere key.
     15 * '''E.g'''
    1216{{{
    13 10:55 <@jamie> in terms of key re-vocation, it should be two steps:
    14 10:56 <@jamie> monkeysphere-host revoke-key
    15 10:56 <@jamie> that revokes the server's ssh monkeysphere key
    16 10:56 <@jamie> and then, to revoke the root@server.mayfirst.org's key:
    17 10:57 <@jamie> gpg --list-secret-key to get the secret key id for the root user.
    18 10:58 <@jamie> followed by gpg --edit-key <gpgid>
    19 10:58 <@jamie> then: revkey
    20 10:58 <@jamie> then save
    21 10:58 <@jamie> then gpg --send-key <gpgid>
     170 attucks:~# monkeysphere-host revoke-key
     18This will generate a revocation certificate for key A0E7C6828C00CDDFEE82652EBF235CB9287D59CF
     19and dump the certificate to standard output.
     20
     21It can also directly publish the new revocation certificate
     22to the public keyservers via keys.mayfirst.org if you want it to.
     23
     24Publishing this certificate will IMMEDIATELY and PERMANENTLY revoke
     25your host key!
     26
     27Publish the certificate after generation? (y/n/Q) y
     28
     29sec  2048R/287D59CF 2011-12-08 ssh://attucks.mayfirst.org
     30
     31Create a revocation certificate for this key? (y/N) y
     32Please select the reason for the revocation:
     33  0 = No reason specified
     34  1 = Key has been compromised
     35  2 = Key is superseded
     36  3 = Key is no longer used
     37  Q = Cancel
     38(Probably you want to select 1 here)
     39Your decision? 3
     40Enter an optional description; end it with an empty line:
     41> attucks.mayfirst.org decomissioned
     42>
     43Reason for revocation: Key is no longer used
     44attucks.mayfirst.org decomissioned
     45Is this okay? (y/N) y
     46NOTE: This key is not protected!
     47Revocation certificate created.
     48
     49Please move it to a medium which you can hide away; if Mallory gets
     50access to this certificate he can use it to make your key unusable.
     51It is smart to print this certificate and store it away, just in case
     52your media become unreadable.  But have some caution:  The print system of
     53your machine might store the data and make it available to others!
     54-----BEGIN PGP PUBLIC KEY BLOCK-----
     55Version: GnuPG v1.4.10 (GNU/Linux)
     56Comment: A revocation certificate should follow
     57
     58iQFBBCABAgArBQJRjR3YJB0DYXR0dWNrcy5tYXlmaXJzdC5vcmcgZGVjb21pc3Np
     59b25lZAAKCRC/I1y5KH1Zz01jCACK8d9actSgsdQ8R4iOcPFvyRS397WrzA2NxWvd
     60+y9SJCFves68yMh+HmH3Xr2+IWm9wgwDPWVTWTbDiQYLKpb0Jx+wXwzeayZYHU/X
     61rg3THvyRhHMM2ccBV2h1eKa+e+hyd8sA2r3SLow37dgjKbb1ELfFgwtz6maGxJrE
     62okwl680iCvONxg6GnMy2PVVqgASFbeCABFTGd8MKnjWuVSkMV9O3nScjkokJJeQ5
     63r0ESu8reYJyQfGc/5xz8fpAK16TjIX8ZLhyb6rsB16xniN3lg/XJbQvrSY9utLMq
     64viFBnbImJK/X9jXHKm59mCam1SjbCzOMni7nAHWo/hZO9tFv
     65=87HD
     66-----END PGP PUBLIC KEY BLOCK-----
     67
     68Really publish this cert to keys.mayfirst.org ? (Y/n)
     69gpg: sending key 287D59CF to hkp server keys.mayfirst.org
     700 attucks:~#
     71}}}
     72
     73
     74=== Revoke the root@server.mayfirst.org's key: ===
     75 * '''Get the secret key id for the root user.'''
     76{{{
     77gpg --list-secret-key to get the secret key id for the root user.
     78}}}
     79 * '''Edit the key'''
     80{{{
     81gpg --edit-key <gpgid>
     82}}}
     83 * '''Apply the revocation and save'''
     84{{{
     85gpg> revkey
     86gpg> save
     87}}}
     88 * '''Send the revoked key to the key server'''
     89{{{
     90gpg --send-key <gpgid>
    2291}}}
    2392