Define ssh key distribution process

[sxa]

This is part of SSDF PO 5.1 and has been flagged elsewhere. We should have a process for distributing ssh keys wherever they are used to avoid having to bypass the checks on first connect. For example:

• Nagios
• Jenkins
• Infrastructure team This could be via explicitly adding the host key into the inventory file.

[sxa]

Note: Jenkins won't accept an ssh-rsa or ssh-dss key and will therefore requre the contents of ssh_host_ecdsa_key.pub or ssh_host_ed25519_key.pub to be used in the agent configuration

[sxa]

Running through https://ci.adoptium.net/label/(dockerhost||build)&&!windows/ to cover all build systems conneted over ssh (Excluding RISC-V which will ned a separate tidy up). All are configured with the ecdsa key (/etc/ssh/ssh_host_ecdsa_key.pub) unless mentioned otherwise.

• [x] https://ci.adoptium.net/computer/build-osuosl-aix72-ppc64-1
• [x] https://ci.adoptium.net/computer/build-osuosl-aix72-ppc64-2
• [x] https://ci.adoptium.net/computer/build-osuosl-centos74-ppc64le-1X
• [x] https://ci.adoptium.net/computer/build-siteox-solaris10u11-sparcv9-1 (Set to manually trusted for now)
• [x] https://ci.adoptium.net/computer/build-osuosl-centos74-ppc64le-2
• [x] https://ci.adoptium.net/computer/docker-osuosl-ubuntu2004-ppc64le-1
• [x] https://ci.adoptium.net/computer/dockerhost-azure-ubuntu2204-x64-1
• [x] https://ci.adoptium.net/computer/dockerhost-equinix-ubuntu2004-armv8-1
• [x] https://ci.adoptium.net/computer/dockerhost-equinix-ubuntu2204-armv8-1
• [x] https://ci.adoptium.net/computer/dockerhost-marist-ubuntu2204-s390x-1
• [x] https://ci.adoptium.net/computer/dockerhost-osuosl-ubuntu2004-ppc64le-1
• [x] https://ci.adoptium.net/computer/dockerhost-skytap-ubuntu2004-ppc64le-1/
• [x] https://ci.adoptium.net/computer/test-marist-rhel8-s390x-2/ All but the last one have had their agent restarted with the new configuration (that one is runnign a Grinder just now)

[sxa]

@Haroon-Khel is going to look at implementing the changes for the other jenkins nodes which we connect to over ssh (The test- ones) and look at ensuring that any nodes created as part of the dockerstatic node automation will support this too.

[steelhead31]

@sxa do we have an existing document for this?, otherwise I'll write a document with our current policy and processes for handling these things.

[sxa]

Sounds good thanks - we have no such document currently. This is very much a "let's define and document the process" issue :-)

[Haroon-Khel]

I have configured all of the static docker containers to connect to jenkins with host key verification, except for the nodes on https://ci.adoptium.net/label/hw.dockerhost.dockerhost-skytap-ubuntu2204-x64-1/. I think that dockerhost is down as are its nodes

[steelhead31]

New document for SSH key management is here.. https://docs.google.com/document/d/1ltGOhmRKkcN-CvafiNRDZwGKCyUC8xb8lCLWBh1VJEI/edit?usp=sharing

@sxa would you mind reviewing, I think that means this issue might be complete.

[sxa]

I've added a few comments. On making them, I'm thinking that it might make sense to have separate recommendations for infrastructure team access (where root access is typically granted to the whole team) and for people who have "temporary" access to a user account on a machine, which I wouldn't necessarily hold to such high standards (e.g. I wouldn't mandate a particular cipher or passphrase for such an account, which would raise the barrier for access)

[steelhead31]

Updates have been made, following review comments, 2 new sections added , regarding temporary/additional access and jenkins host key management.

[steelhead31]

Closing, as I believe this is completed.