cephadm: Allow users to provide ssh keys during bootstrap

[ricardoasmarques]

With this PR user will be able to provide their own SSH keys:

ceph cephadm set-priv-key -i /root/.ssh/secret
ceph cephadm set-pub-key -i /root/.ssh/secret.pub

Even for the bootstrap:

cephadm boostrap \
    ...
    --ssh-private-key /root/.ssh/secret \
    --ssh-public-key /root/.ssh/secret.pub

Fixes: https://tracker.ceph.com/issues/45629

Signed-off-by: Ricardo Marques rimarques@suse.com

Checklist

• References tracker ticket
• Updates documentation if necessary
• Includes tests for new functionality or reproducer for bug

---

Show available Jenkins commands

• jenkins retest this please
• jenkins test classic perf
• jenkins test crimson perf
• jenkins test signed
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test dashboard backend
• jenkins test docs
• jenkins render docs
• jenkins test ceph-volume all
• jenkins test ceph-volume tox

[ricardoasmarques]

@sebastian-philipp Can we assume that cephadm only works with keys that are not protected with passwords?

If yes, then we can have a single command ceph cephadm set-key <private_key> and extract the public key from the private key by doing something like ssh-keygen -y -f <private_key> internally.

Or maybe it's better to explicitly set both anyway, thoughts?

[epuertat]

Suggested change

	mounts = {}
	mounts[pathify(args.ssh_private_key)] = '/tmp/cephadm-ssh-key:z'
	mounts[pathify(args.ssh_public_key)] = '/tmp/cephadm-ssh-key.pub:z'
	mounts = {
	pathify(args.ssh_private_key): '/tmp/cephadm-ssh-key:z'
	pathify(args.ssh_public_key): '/tmp/cephadm-ssh-key.pub:z'
	}

[ricardoasmarques]

Done

[epuertat]

?

Suggested change

	parser_bootstrap.add_argument(
	'--ssh-private-key',
	help='SSH private key')
	parser_bootstrap.add_argument(
	'--ssh-public-key',
	help='SSH public key')
	parser_bootstrap.add_argument(
	'--ssh-private-key',
	type=argparse.FileType('r'),
	help='SSH private key')
	parser_bootstrap.add_argument(
	'--ssh-public-key',
	type=argparse.FileType('r'),
	help='SSH public key')

FileType also checks whether the file exists, is readable and can be opened, and opens these files, so the filename will be stored in args.ssh_*_key.name.

[ricardoasmarques]

Done

[epuertat]

Is there any plan to remediate this? Storing private SSH keys in the clear (Is this somehow printed to the logs? Is this mon key-value store encrypted?) sounds like a serious attack vector: Dashboard's CVE-2020-1699 (or any other user-facing component breach) would expose the filesystem under ceph user, but with this data there everything else would be compromised, right?

[ricardoasmarques]

@epuertat AFAIK, it's not possible to encrypt "config-keys". Note that this security issue is not being introduced in this PR, it's already present for the "generated SSH key" - https://github.com/ceph/ceph/blob/master/src/pybind/mgr/cephadm/module.py#L745

@sebastian-philipp was this security issue already discussed? Should we have a separate issue for that?

FYI, a similar discussion happened here ceph/ceph-iscsi#173 (comment)

[epuertat]

Thanks for the context, @ricardoasmarques!

[sebastian-philipp]

I think, we need a proper and secure way to store secrets in the MONs. config-key and config are both not designed to store passwords etc. @jecluis any opinion? @travisn maybe something in the direction of k8s secrets might be an idea?

[travisn]

@sebastian-philipp Rook certainly relies on K8s secrets, but not sure how cephadm could leverage something similar.

[sebastian-philipp]

can we also set the ssh config?

[epuertat]

Thanks for addressing my comments @ricardoasmarques !

[ricardoasmarques]

can we also set the ssh config?

@sebastian-philipp I've pushed a new commit that will alow users to provide ssh config during bootstrap (--ssh-config option).

[sebastian-philipp]

Big thanks! Do you also want to amend the man page? https://docs.ceph.com/docs/master/man/8/cephadm/

[ricardoasmarques]

Big thanks! Do you also want to amend the man page? https://docs.ceph.com/docs/master/man/8/cephadm/

@sebastian-philipp Good catch. Man page is now updated.

[sebastian-philipp]

QA passed: http://pulpito.ceph.com/swagner-2020-05-27_13:56:17-rados:cephadm-wip-swagner-testing-2020-05-27-1352-distro-basic-smithi/