root ssh key management
It has come to my attention that we perhaps do not have the most obvious semantics for management of node root keys and access.
What I think we should do/allow:
- ensure standard images have a largely empty
/root/.ssh
directory, containing only anauthorized_keys
file with boss root key(s) - allow an experiment-wide root keypair that is installed on all nodes at experiment swapin
- ensure that keypair continues to work across reboots (i.e.,
authorized_keys
is not overwritten at boot time) - make every reasonable effort to ensure that boss's root pubkey remains in place
One thing I am not entirely certain about is whether we let users embed custom root keys and authorized_keys
settings in snapshots (custom images). No doubt incredibly useful for the creator of the image, but dangerous for others who might instantiate the image. I think I would say "no" for this, leading to:
- have
prepare
clear out the/root/.ssh
directory except for boss pubkey(s) - have
slicefix
do the same in the frisbee MFS