Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add considerations for strict host key checking #732

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Add considerations for strict host key checking #732

wants to merge 8 commits into from
+97 −11

Conversation

ecarson
Copy link
Contributor

@ecarson ecarson commented Jun 14, 2024

Added considerations for onboarding and conductor migration workflows when strict host key checking is enabled.

@ecarson
Copy link
Contributor Author

ecarson commented Jun 14, 2024

This hit what looks like an unrelated transient faillure:

FILE: docs/config_domain-based_web_filter.md
[✓] config_app_ident.md → Status: 200
[✓] ../static/img/dbwf_appl_seen.png → Status: 200
[✖] http://www.google.com/doodles/doodle-champion-island-games-september-05 → Status: 500
[✖] http://www.google.com/doodles/ → Status: 500
[✓] http://www.google.com/ → Status: 200
[✓] http://www.bing.com/ → Status: 200
[✓] #domain-categories → Status: 200

7 links checked.

ERROR: 2 dead links found!
[✖] http://www.google.com/doodles/doodle-champion-island-games-september-05 → Status: 500
[✖] http://www.google.com/doodles/ → Status: 500

https://github.com/128technology/docs/actions/runs/9509604151/job/26212795734

MichaelBaj
MichaelBaj reviewed Jun 14, 2024
View reviewed changes
docs/howto_router_migration.md Outdated
### Additional Considerations When Strict Host Key Checking Is Enabled

If the router is configured for strict `inter-router` host key checking (`host-key-checking` is `yes`), there are some additional considerations when performing a migration to the new conductor. It will be necessary to manually provision the new conductor key **prior** to migrating the router. This will require the administrator to retrieve the host key of each node of the new conductor and configure this in the router prior to migration.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this only relevant for deployments that are running pre-6.3 software?
If so, that should be indicated here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The strict host key checking will be relevant for all releases running Strict host key checking. We were planning to roll this back to the earlier support releases.

Note that it is optionally enabled in config. We will need to encourage people to enable it though because it is important for blocking a MitM attack from router to conductor.

When it is enabled it requires explicit key sharing to be made by the administrator. We proposed an enhancement where this would be included in the quickstarter bundle and Teron seemed to think this was OK for CC.

docs/intro_otp_iso_install.mdx Outdated

### Additional Considerations When Strict Host Key Checking Is Enabled

If the router is configured for strict `inter-router` host key checking (`host-key-checking` is `yes`), there are some additional considerations when onboarding to the conductor. It will be necessary to manually provision the new conductor key **prior** to successful communication to the conductor. This will require the administrator to retrieve the host key of each node of the new conductor and configure this in the router.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above.

@MichaelBaj MichaelBaj self-requested a review June 14, 2024 13:42
MichaelBaj
MichaelBaj previously approved these changes Jun 14, 2024
View reviewed changes
MichaelBaj
MichaelBaj requested changes Jun 24, 2024
View reviewed changes
docs/cc_fips_otp_router_install.md Outdated
@@ -108,6 +108,53 @@ When you modify the GRUB kernel behavior by editing the GRUB menu at boot time,

This installation process is an automated workflow which does not require user interaction after selecting and initiating the OTP menu option. The system will power off after installation.

### Enable Strict Host Key Checking

Enabling strict `host-key-checking` provides secure communication between the conductor and a configured router.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does the term "configured router" mean in this sentence. Typically it would simply be a "router" or a "managed router". Is this a distinction with a difference? If so, what? If not, then "a router" is sufficient.

docs/cc_fips_otp_router_install.md Outdated
config authority router RTR_EAST_COMBO node combo-east-2 ssh-settings inter-router host-key-checking yes
```

- **`inter-node host-key-checking`** controls host key verification between redundant HA nodes. When set to `yes`, strict host key checking is enabled between the router and the conductor **between each node**. However, the host keys must be manually provisioned on each router.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this sentence read:

"strict host key checking is enabled between each node of a HA router."?
The sentence is confusing.

docs/cc_fips_otp_router_install.md Outdated

#### Manual Provisioning of the Conductor Key

If a router is configured for strict `inter-router host-key-checking` (set to `yes`), but **does not** have `accepts-new` configured, it will be necessary to manually provision the new conductor key **prior** to onboarding the router to the conductor. This will require the administrator to retrieve the host key of each node of the new conductor and configure this in the router.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The last sentence states "of the new conductor".
Perhaps this paragraph was originally used for a migration doc. Does "new" conductor matter here? i.e., if this were a migration use case or a use case where a customer is turning on struck-host-key checking for the first time, a new or old conductor shouldn't matter, right?
recommend changing to "This will require the administrator to retrieve the host key of each node of the conductor and configure this in the router."

docs/cc_fips_otp_router_install.md Outdated

If a router is configured for strict `inter-router host-key-checking` (set to `yes`), but **does not** have `accepts-new` configured, it will be necessary to manually provision the new conductor key **prior** to onboarding the router to the conductor. This will require the administrator to retrieve the host key of each node of the new conductor and configure this in the router.

On the new conductor, identify the `key` for each node using the command `show system connectivity host-keys node all`.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above regarding the "new" conductor.

docs/howto_router_migration.md

If the router is configured for strict `inter-router` host key checking (`host-key-checking` is `yes`), there are some additional considerations when performing a migration to the new conductor. It will be necessary to manually provision the new conductor key **prior** to migrating the router. This will require the administrator to retrieve the host key of each node of the new conductor and configure this in the router prior to migration.
If a router is configured for strict `inter-router host-key-checking` (set to `yes`), but **does not** have `accepts-new` configured, it will be necessary to manually provision the new conductor key **prior** to migrating the router to the conductor. This will require the administrator to retrieve the host key of each node of the new conductor and configure this in the router.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here it is clear that this is coming from the migration doc, hence the use of the term "new conductor"

@Chr1st0ph3rTurn3r
Added Mike's review input
5a62ed4
@Chr1st0ph3rTurn3r
merging content updated from master. Merge branch 'ecarson/strict-ho…
7e59d6b 
…st-key-checking-considerations' of github.com:128technology/docs into ecarson/strict-host-key-checking-considerations
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MichaelBaj MichaelBaj MichaelBaj approved these changes

@Chr1st0ph3rTurn3r Chr1st0ph3rTurn3r Awaiting requested review from Chr1st0ph3rTurn3r Chr1st0ph3rTurn3r is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ecarson @MichaelBaj @Chr1st0ph3rTurn3r