| 2 | |
| 3 | == Root gpg key and monkeysphere == |
| 4 | |
| 5 | All of our servers can easily ssh between themselves through the monkeysphere. For the monkeysphere to work, the root user on each machine has to maintain an ssh-agent. |
| 6 | |
| 7 | Prior to stretch, we could not load a monkeysphere key into ssh-agent that didn't have a password (so we set the password to 'monkeys' for all keys). With stretch, you can't load a key into ssh-agent in an automated way that ''has'' a password. Sigh. Also, you cannot automate the change of a gpg key password. |
| 8 | |
| 9 | As a result: upon upgrading sites to stretch, you must manually remove the password for the root user's gpg key: |
| 10 | |
| 11 | {{{ |
| 12 | gpg --change-passphrase root@$(hostname).mayfirst.org |
| 13 | }}} |
| 14 | |
| 15 | The current password is: monkeys |
| 16 | |
| 17 | If you don't, you will get this warning when you run puppet: |
| 18 | |
| 19 | {{{ |
| 20 | remote: Error: /bin/false returned 1 instead of one of [0] |
| 21 | remote: Error: /Stage[main]/Mayfirst::M_minimal/M_gpg::Private_key[root]/Exec[admin:please-manually-change-passphrase-from-monkeys-to-empty-for-root-user-on-this-host]/returns: change from notrun to 0 failed: /bin/false returned 1 instead of one of [0] |
| 22 | }}} |
20 | | == Root gpg key and monkeysphere == |
21 | | |
22 | | All of our servers can easily ssh between themselves through the monkeysphere. For the monkeysphere to work, the root user on each machine has to maintain an ssh-agent. |
23 | | |
24 | | Prior to stretch, we could not load a monkeysphere key into ssh-agent that didn't have a password (so we set the password to 'monkeys' for all keys). With stretch, you can't load a key into ssh-agent in an automated way that ''has'' a password. Sigh. Also, you cannot automate the change of a gpg key password. |
25 | | |
26 | | As a result: upon upgrading sites to stretch, you must manually remove the password for the root user's gpg key: |
27 | | |
28 | | {{{ |
29 | | gpg --change-passphrase root@$(hostname).mayfirst.org |
30 | | }}} |
31 | | |
32 | | The current password is: monkeys |
33 | | |
34 | | If you don't, you will get this warning when you run puppet: |
35 | | |
36 | | {{{ |
37 | | remote: Error: gpg --pinentry-mode loopback --passphrase '' --export-secret-keys --armour 1>/dev/null 2>/dev/null returned 2 instead of one of [0] |
38 | | remote: Error: /Stage[main]/Mayfirst::M_minimal/M_gpg::Private_key[root]/Exec[admin:please-manually-change-passphrase-from-monkeys-to-empty-for-root-user-on-this-host]/returns: change from notrun to 0 failed: gpg --pinentry-mode loopback --passphrase '' --export-secret-keys --armour 1>/dev/null 2>/dev/null returned 2 instead of one of [0] |
39 | | }}} |