Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trim active releasers list #499

Closed
rvagg opened this issue Oct 31, 2019 · 24 comments
Closed

Trim active releasers list #499

rvagg opened this issue Oct 31, 2019 · 24 comments

Comments

@rvagg
Copy link
Member

rvagg commented Oct 31, 2019

There's a lot of SSH keys in place allowing for release promotion, 40 all up. 28 of them are unlabelled and a lot of the ones with labels are for people I know don't do releases anymore. This functionality punches a pretty significant hole in our security perimeter that protects what we publish so I'd like us to get it locked down.

Can I ask this WG to clarify who can currently perform releases. Is https://github.com/nodejs/Release#releasers-team accurate or should even it be refreshed? It shouldn't be hard to check who has performed a release in the past X months if that's a good way to do a refresh.

Secondly, can I get fresh SSH keys for each of these individuals? Your GitHub .keys is fine if it just contains one key, otherwise if you can specify which one, just one per person (it'd be awesome if it was a dedicated key but that's not strictly necessary). I'll get them in, labelled and dated, replacing everything that's there now.

@targos
Copy link
Member

targos commented Oct 31, 2019

targos_key1 is the key I use. I removed targos_key2.

@targos
Copy link
Member

targos commented Oct 31, 2019

/cc @nodejs/releasers

@MylesBorins
Copy link
Contributor

Please keep me on there. Appropriate key included below in details section

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCYSbr8uTzB4kbUvwesreEmPfSNQUbu/Ud5ltHJCnE6RHf9h6UZ4fRzDnIOk6PKy2C2jWqD9k/BIItWhWO7HXLGMwEdC29Bq7kw7+fFOMFEIEBndHdMDKsl+OWY/mwlHJ8oMeroh8/pk9cChWcXVPQhAyYrWVkaUeomLSHSYT7aZdXGOSpyWAPCd5RcSdfgdFhAZ0wpvfpFa//UV6ypxEvftXROqy9qYK+hmMdFWeBKpiTEpARxIHY0dcVX7SDnVFtiQDRJ2AF1BOQ7W2OEPf+5aGVAZNSIh18q3lWL83skSNsSWGNUdYhXiip/IO48JX1lZyPaUxp6vrZnK3nx+j3 mborins@mborins-macbookpro.roam.corp.google.com

@Fishrock123
Copy link
Contributor

I should probably be removed as a releaser.

I _think_ this was the SSH key that was used, but honestly have no idea ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDRVSPGJyI+U88Mqaw+aRlUHDHmhg4LajzQGIFCvqAUsiBu2s0RFA4IUtqvOl74mKBWdaNVDP28EXxNdo9HUjjPO8rw1/8LOix+B7BvYJjkwQ2MophWw9HqjhtkRmrzSVagcTUbmwehtFHo80muwXTJ9jdKI0UoB8/nr3Da1Id8QdMWNmJ/KfA55DuBBtOJJx6hs0lA8RrBI7agOMMOTgh0a3W8MEIdyQBMANZqaruuMVX7MZ9X6L7DovMzsVBe42nx7UObcMMTzW/y2pWy/jNGZGGrVBdqv4GNXY+Zr11KIu/vPafL8G99X5J9D7hAC83OgiuDWjKSRit3iNmxmvt Jeremiah@jeremiahs-mbp.lan

@jasnell
Copy link
Member

jasnell commented Oct 31, 2019

Please keep me on the list.

@codebytere
Copy link
Member

Please keep me on the list - i have been unable to participate for a while but should be able to resume duties soon, and plan to!

@rvagg
Copy link
Member Author

rvagg commented Nov 1, 2019

I'm not sure what the significance of this is but neither of you have SSH keys showing up in GitHub: https://github.com/jasnell.keys & https://github.com/jasnell.keys, I thought they were mandatory! So @jasnell and @codebytere could you drop in a key here please?

@BethGriggs
Copy link
Member

Please keep me on the list - I have a specific key for Node.js releases:

Node.js key

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCYDpECIm3soPk4SmU4kIN4LyGzE+jcx6AEU1YIL+UR7kGhaVYR6O9toCbRMQW6fYniIg8605vIh8bPj8hRIQID3HgcHCNyEz6F6sDf+y50UWMB7HNM4BapFpNFgsCznIQ4WqISvzG5p2QWXQw64B0gG/TPe+skehN2Uur7tujnrz+hVCyUo5+R3J4aC3+plbJZFjdVY5PvhfPxSuadBr7ntf4NqZE982ie/Uo9H73odBAJ1YtzFFnCEGQEoYP03ttepBpzVJeb//a2y+DSEc3gA1m0NgpfvCfLefp+CGzBLkzeaVg4iow8rQqcNEBDgE4QTmW9rXAGBhmePY6y064huUYzpb630hKCD/kdBxKJJ2u1VIyq8ECwZhTVPN+xiyWk1dNP1XYKHFlEQfGHdjnXbDm84CePbIZzlBCLtUU0QgAqyTHpei/J5fB6UZDBOgHVAYwyqY8DFGpeNwKD5BC8IRJqHlqTSSoFtbhwgdj7e0mmIi1q0v1fUgZ1D31RDDyhGeZ9ufEDgI17hSgQ8s46ZkDyMsjKX1eCDE8SYq1wF3nw4ZMuJeTG5cs3pi8Mi22/i7CXlIUGDChooSU4Dtgt9iRyOt4eVi3Ty6o8ZrtOFx7zfHBcdTu1o54Kp6Svl9fD7ceBb4Ff9rukLhMjhpTemi617zEcOVZvV3dqWvgB5w== Bethany.Griggs@uk.ibm.com

@cjihrig
Copy link
Contributor

cjihrig commented Nov 1, 2019

Please keep me on the list.

@BethGriggs
Copy link
Member

/cc @BridgeAR @evanlucas @gibfahn

(pinging the remaining releasers from https://github.com/nodejs/release#releasers-team)

@evanlucas
Copy link

I likely won't have to time to help out in the near future, so feel free to remove mine. Thanks!

BridgeAR added a commit that referenced this issue Nov 19, 2019
This is to keep the list up to date. Requested in
#499 (comment)
@BridgeAR
Copy link
Member

Please keep me on the list. My used key is https://github.com/BridgeAR.keys

@sam-github
Copy link
Contributor

Am I mistaken, or did everyone who has done a release in the last year respond in the thread above? I wonder if a yearly check that people are still interested in being members is in order? Or since the release team's role is so clear, maybe a minimum number of releases a year would be a reasonable bar for membership, like 1? Anyone who isn't doing release doesn't need to be part of the release team! :-). If it was just a list in a github README, it could grow forever, but since its ssh access into infrastructure, pruning the membership would be helpful.

@rvagg, just a suggestion, ignore if not helpful, but perhaps everyone's private keys should be stripped from the authorized file, and replaced with a shared private key in the secrets repo that the release team has gpg decrypt rights to. Then, after the yearly house-cleaning, the key can be rotated, and legacy members will lose access. Though perhaps that mean that when people do ssh in, they all appear to have the same identity...

A key manager would be nice, it comes up regularly in discussion between @mhdawson and I, but hasn't quite gotten high enough with mac and other things above it.

@rvagg
Copy link
Member Author

rvagg commented Feb 11, 2020

Sounds fine to me. It'd just mean keeping the secrets directory gpg keys in sync with the GitHub team, and someone has to be on the hook for the yearly checkup, team pruning, rotation and gpg secrets key syncing. Someone has to be on the hook for something, pick your poison!

@BridgeAR
Copy link
Member

This should be resolved. Please reopen if I missed something.

@rvagg
Copy link
Member Author

rvagg commented May 26, 2020

sadly this isn't done yet, I don't think we have an agreed upon solution and I still haven't trimmed the active releasers list, can someone please reopen this?

@Trott
Copy link
Member

Trott commented Oct 6, 2022

@rvagg Are these the ssh keys for the dist user on the web server or is this something else? There are currently 9 active releasers listed at https://github.com/nodejs/Release#releasers-team and removing the ssh key for releasers is part of the documented offboarding process, so hopefully we can identify all the keys now and/or remove the ones we don't recognize and wait to see if anyone complains (at which point we re-add them).

@rvagg
Copy link
Member Author

rvagg commented Oct 8, 2022

There's 43 keys in there, most have no identifier associated with them. It looks like recent ones do have labels, but most don't.

Someone needs to go through those releasers, grab their ssh keys and compile a new authorized_keys from it, with labels, and just replace what's there now.

@Trott
Copy link
Member

Trott commented Oct 8, 2022

There's 43 keys in there, most have no identifier associated with them. It looks like recent ones do have labels, but most don't.

Someone needs to go through those releasers, grab their ssh keys and compile a new authorized_keys from it, with labels, and just replace what's there now.

So we only need to get the 9 current releasers keys in there and not any Build WG folks or anything like that? Those are all in another file (or another section of the same file) or something?

@rvagg
Copy link
Member Author

rvagg commented Oct 8, 2022

Yeah, I think we can ditch everyone but releasers, keep it clean. I can see build infra in there but infra also has root on that server anyway so it doesn't need it here. We can add it back later if we find that it was needed for something unexpected.

@Trott
Copy link
Member

Trott commented Jun 30, 2023

Did we end up removing everyone but current releasers? Do we have it down to approximately 10 keys or so? If not, is there anything I can do to help move this forward to a resolution?

@rvagg @richardlau

@richardlau
Copy link
Member

I don't think we removed anything. Current status is there are 41 keys, of which 14 are commented as belonging to current releasers (some releasers have more than one key) plus Rod and the build-infra key. That leaves 27 uncommented keys.

@richardlau
Copy link
Member

I've taken an executive decision to just remove the uncommented keys. This was done by executing:

cd /home/dist/.ssh/
cp authorized_keys authorized_keys.bak
cat authorized_keys.bak | awk -F ' ' '! ( $3=="" )' > authorized_keys

There are now 14 keys, all commented with who they supposedly belong to.

@richardlau
Copy link
Member

One other thing to mention is that we currently have a ufw2 firewall in place on the server which means we have to add IP address to the allow list (or releasers have to connect through a jump host) which provides an additional separate security perimeter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

14 participants