root ssh key management
It has come to my attention that we perhaps do not have the most obvious semantics for management of node root keys and access.
What I think we should do/allow:
- ensure standard images have a largely empty
/root/.sshdirectory, containing only anauthorized_keysfile with boss root key(s) - allow an experiment-wide root keypair that is installed on all nodes at experiment swapin
- ensure that keypair continues to work across reboots (i.e.,
authorized_keysis not overwritten at boot time) - make every reasonable effort to ensure that boss's root pubkey remains in place
One thing I am not entirely certain about is whether we let users embed custom root keys and authorized_keys settings in snapshots (custom images). No doubt incredibly useful for the creator of the image, but dangerous for others who might instantiate the image. I think I would say "no" for this, leading to:
- have
prepareclear out the/root/.sshdirectory except for boss pubkey(s) - have
slicefixdo the same in the frisbee MFS