Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hardening of remote maintenance via SSH #153

Merged
merged 9 commits into from
Apr 10, 2024
Merged

Hardening of remote maintenance via SSH #153

merged 9 commits into from
Apr 10, 2024

Conversation

knuton
Copy link
Member

@knuton knuton commented Mar 29, 2024

This limits SSH connections for remote maintenance to come via the known ZeroTier network's interface, and disables unnecessary forwarding options.

Checklist

  • Changelog updated
  • Code documented
  • User manual updated

@knuton knuton added the reviewable Ready for initial or iterative review label Mar 29, 2024
@knuton knuton requested a review from guyonvarch March 29, 2024 10:40
@knuton knuton force-pushed the restrict-remote-maintenance branch 6 times, most recently from 5052e13 to 88632ed Compare March 30, 2024 08:28
@knuton knuton added changes suggested Asking for changes before next round of reviewing and removed reviewable Ready for initial or iterative review labels Mar 30, 2024
@knuton
Copy link
Member Author

knuton commented Mar 30, 2024

The test for the pinned interface name is flaky, need to check.

@knuton knuton force-pushed the restrict-remote-maintenance branch 2 times, most recently from a5414b9 to a8d3d4e Compare March 31, 2024 10:27
@knuton knuton added reviewable Ready for initial or iterative review and removed changes suggested Asking for changes before next round of reviewing labels Mar 31, 2024
@knuton
Copy link
Member Author

knuton commented Mar 31, 2024

I think I managed to fix the tests in a good way, waiting for the network device to show up, but succeeding as soon as it does.

Like this we can use a general enough wait without making the test unnecessarily slow.

You can see in test output that it just takes a while for ZeroTier to fully start up after the service is started:

defaultConnectionSetting # [  166.076615] systemd[1]: Starting ZeroTierOne...
defaultConnectionSetting # [  166.403892] systemd[1]: Started ZeroTierOne.
defaultConnectionSetting: waiting for unit zerotierone.service
(finished: waiting for unit zerotierone.service, in 0.95 seconds)
defaultConnectionSetting: waiting for success: ls /var/lib/zerotier-one/
(finished: waiting for success: ls /var/lib/zerotier-one/, in 0.55 seconds)
defaultConnectionSetting: waiting for success: ip link show ztmntnc
defaultConnectionSetting # Device "ztmntnc" does not exist.
defaultConnectionSetting # Device "ztmntnc" does not exist.
defaultConnectionSetting # [  171.176612] zerotier-one[1404]: Starting Control Plane...
defaultConnectionSetting # [  171.183320] zerotier-one[1404]: Starting V6 Control Plane...
defaultConnectionSetting # [  171.977349] (udev-worker)[1453]: Network interface NamePolicy= disabled on kernel command line.
(finished: waiting for success: ip link show ztmntnc, in 4.08 seconds)

On the Action runners this takes much longer than when I run the test locally on my machine. With wait_until_succeeds we should be fine.

@guyonvarch guyonvarch added details needed Further information requested to better evaluate changes and removed reviewable Ready for initial or iterative review labels Apr 4, 2024
@knuton
Require a single maintenance network to be set
d41d27e 
We expect just one network to be required, previous list was likely just for convenience of passthrough to ZT service definition.
@knuton
Restrict SSH to ZeroTier maintenance interface
e0137bf
@knuton
Restrict SSH forwarding in remote maintenance config
aff49f4
@knuton
Update Changelog for remote maintenance hardening
f919e85
@knuton
Allow unfree when running tests
4f198ac
@knuton
Allow tests to run as parallel jobs
b372813
@knuton
Add magic-nix-cache
458604a 
https://determinate.systems/posts/magic-nix-cache/
@knuton
Add waits in remote maintenance tests
8acab1b 
We need for system, service and network interface to fully start up.
@knuton
Use repeated tests with timeout
f3ea86f 
This allows for setup to take several seconds at times, but lets tests
finish as soon as possible when setup is quick.
@knuton knuton force-pushed the restrict-remote-maintenance branch from a8d3d4e to f3ea86f Compare April 4, 2024 21:11
@knuton knuton removed the details needed Further information requested to better evaluate changes label Apr 4, 2024
@knuton knuton added the reviewable Ready for initial or iterative review label Apr 4, 2024
@guyonvarch
Copy link
Member

Looking good, just wondering if you’ve tested the functionality in a real scenario?

@knuton
Copy link
Member Author

knuton commented Apr 5, 2024

Tests on an actual installation:

  • I can SSH into a machine through the local network IP when running the OS from 3405346
  • I can not SSH into a machine through the local network IP when running the OS from this branch
  • I can SSH into a machine through the ZeroTier IP when running the OS from this branch
  • I can forward ports (Chromium DevTools) when running the OS from this branch

@guyonvarch guyonvarch merged commit c43a319 into dividat:main Apr 10, 2024
5 checks passed
@guyonvarch guyonvarch removed the reviewable Ready for initial or iterative review label Apr 10, 2024
@knuton knuton deleted the restrict-remote-maintenance branch April 10, 2024 06:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guyonvarch guyonvarch guyonvarch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@knuton @guyonvarch