![]() ![]() The automationServer role is just a fancy way of saying “localhost” and is used to perform some basic prep work on our Ansible server. If you’re using my code in your environment, you may choose to role this in with a higher-level “common” task. The ntpClient role simply installs and starts the NTP service with the default NTP servers. Needless to say, I learned this the hard way. Likewise, a certificate could appear to have expired if the clock skew between hosts is too great. If a host with the incorrect time is presented with a certificate that appears to be signed in the future, it will reject it. Kerberos), it is important that all hosts have the same approximate time. While this requirement isn’t based on strictly-defined clock drift (i.e. ntpClientĬertificate-based implementations rely on correct timing among hosts. We’ll examine each role in the order of execution from the root main.yml file so that we can better understand the dependencies and relationships between each role. Now let’s take a closer look at the actions performed by each role. I’m going to dig deeper into each of these roles, but let’s start with a simple list: These well-defined purposes map well to Ansible roles. The purpose of a webserver is to accept root logins from users who present a valid certificate with the zone-webservers principal. The purpose of the certificate authority is to sign public keys from the bastion hosts. RolesĬonsidering the overall Facebook architecture, it also becomes clear that each category of host has a certain role to play. We’ll take a closer look at each of these files during the demo. We can also define users, servers, and their respective principals in the various group_vars files. The Ansible hosts file can categorize each host (webservers, dbservers, etc). It turns out that these constructs map rather nicely into Ansible variables. All of the webservers in the environment are configured to allow logins from certificates with the zone-webservers principal. For example: a website administrator would only be allowed to access webservers, because their certificate only has the zone-webservers principal. These users are able to log in to production servers as the root user, and their ability to access production servers is based on the principals found in the SSH certificate that is signed by the certificate authority. The regular production servers can be further classified based on their purpose and security zone: webservers, database servers, log servers, etc.Īdditionally, the environment has one or more users who log into the bastion hosts and then jump into production systems via SSH. Very generally, there are 3 classifications of hosts within the certificate-based SSH architecture proposed in Facebook’s article: a certificate authority, bastion hosts, and regular production servers. The Vagrantfile for the live demo is also in there, so you can easily follow along if you’d like. Below, I’ll discuss the Ansible approach that I chose, some of the challenges that I ran into, and room for future improvement.Īll of the code discussed below is available on Github. Implementing portions of an SSH-based certificate architecture seemed like a good project to re-orient myself with the Ansible way of doing things. I’ve been (infrequently) working with Ansible on personal projects for a few years now. An automation system can also allow for an additional level of security: it becomes much easier to frequently refresh key pairs and certificates when an automated system can perform the heavy lifting. It’s a pretty short and enjoyable read.įacebook mentions the need for some type of automation system inside larger environments, as manually signing and distributing certificates would be an otherwise arduous process. Otherwise, nothing below is going to make any sense. If you haven’t read the article, do that before reading mine. It’s an informative look into how an organization of Facebook’s size is able to keep authentication manageable across a very large, dynamic, and scalable environment without a single point of failure. Deploying certificate-based SSH with AnsibleĪ few months ago, I read “Scalable and secure access with SSH” by Marlon Dutra on the Facebook Engineering blog. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |