On Tue, 12 Nov 2019, Gregory Farnum wrote:
This is just a specific instance of a generalized
problem, right? If
the Ceph cluster has the ability to update itself, then anybody who
pwns it can update to arbitrary code and do whatever they want. The
Yeah, exactly.
I think we just have two modes, then: (1) the root key one that's
implemented now for maximum ease of use, seamless upgrades, etc., and then
(2) a more paranoid mode where
1- admin is responsible for ceph-daemon being installed and/or upgraded
when necessary.
2- ceph-daemon package creates a cephdaemon user and sudoers.d file
3- mgr/ssh has a mode=... setting and/or user=... setting
4- node addition instructions have the paranoid edition where the ssh key
is put in cephdaemon user's (instead of root's) authorized_keys file
sage