Project

General

Profile

Actions
Copy link

action #157744

closed

openQA Project - coordination #105624: [saga][epic] Reconsider how openQA handles secrets

openQA Project - coordination #157537: [epic] Secure setup of openQA test machines with secure network+secure authentication

[spike][timeboxed:10h][qe-core] Use ssh key authentication in particular for s390x kvm installation openQA jobs

Added by okurz 8 months ago. Updated 4 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Enhancement to existing tests
Target version:
QA - QE-Core: Ready
Start date:
2024-03-22
Due date:
% Done:

0%

Estimated time:
Difficulty:
Tags:
security, password

Description

Motivation

In https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we are asked to handle "compromised root passwords in QA segments" including s390zl11…16

Goals

  • G1: Have an s390x kvm openQA installation job with ssh key authentication instead of password succeed as far as possible
  • G2: Identify which follow-up steps need to be done to fully support ssh key based authentication in such scenarios

Suggestions

  • Take a look where os-autoinst and os-autoinst-distri-opensuse use passwords and try to find a way how to pass public ssh keys to the target s390x kvm systems and use key authentication instead of password
  • Consider trying out locally with native virtualization as that feature isn't only relevant for s390x
  • After that reserve an s390x kvm system and try it out
  • Fix obvious small problems and identify bigger follow-up tasks

Related issues 1 (0 open1 closed)

Copied from openQA Tests - action #157555: [spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:SRejectedokurz

Actions
Actions
Copy link
 #1

Updated by okurz 8 months ago

  • Copied from action #157555: [spike][timeboxed:10h][qe-core] Use a different ssh root password for any svirt (s390, x86, etc) installation openQA jobs size:S added
Actions
Copy link
 #2

Updated by okurz 8 months ago

  • Target version changed from future to Tools - Next

According to https://sd.suse.com/servicedesk/customer/portal/1/SD-150437 we likely need this sooner rather than later. Adding to our next-backlog to be done after #157555

Actions
Copy link
 #3

Updated by okurz 8 months ago

  • Status changed from New to Blocked
  • Assignee set to okurz
Actions
Copy link
 #4

Updated by okurz 8 months ago

  • Subject changed from [spike][timeboxed:10h] Use ssh key authentication in particular for s390x kvm installation openQA jobs to [spike][timeboxed:10h][qe-core] Use ssh key authentication in particular for s390x kvm installation openQA jobs
  • Status changed from Blocked to Workable
  • Assignee deleted (okurz)
  • Target version changed from Tools - Next to QE-Core: Ready

@qe-core I have a new task for you that should be planned to work on within the next weeks/months so that we don't get escalations from SUSE's cybersecurity team. Related #157555

Actions
Copy link
 #5

Updated by okurz 8 months ago

  • Project changed from openQA Infrastructure to openQA Tests
  • Category changed from Feature requests to Enhancement to existing tests
Actions
Copy link
 #6

Updated by okurz 6 months ago

With #159069 resolved there is a firewall on the hypervisor hosts preventing access over SSH or VNC from general network. With that this task is not strictly necessary anymore. Hence I suggest to reject this task for now.

Actions
Copy link
 #7

Updated by dzedro 4 months ago

  • Status changed from Workable to Rejected
Actions
Copy link

Also available in: Atom PDF