Change the SSH keys for users on non-compute nodes (NCNs) on the system using
the rotate-ssh-keys-mgmt-nodes.yml
Ansible playbook provided by CSM or through
NCN node personalization (site.yml
).
The NCNs deploy with SSH keys for the root user that are changed during the system install. See Change NCN Image Root Password and SSH Keys for more information on changing the default keys during install. It is a recommended best practice for system security to change the SSH keys after the install is complete on a schedule. This procedure defines how to change the keys once the system is operational.
The NCN root user keys are stored in the HashiCorp Vault
instance, and applied with the csm.ssh_keys
Ansible role via a CFS session. If
no keys are added to Vault as in the procedure below, this Ansible role will
skip any updates.
Generate a new SSH key pair for the root user.
Use ssh-keygen
to generate a new pair or stage an existing pair, as per site security policies and procedures.
Write the private and public halves of the key pair to the HashiCorp Vault.
Use the following procedure with the rotate-ssh-keys-mgmt-nodes.yml
playbook to only change the root SSH keys on NCNs.
This is a quick alternative to running a full management node personalization, as documented in the
Re-run node personalization on management nodes procedure
in the Management Node Personalization topic.
(ncn-mw#
) Create a CFS configuration layer to run the SSH key change Ansible playbook.
NOTE
This step only needs to be done once, as long as the commit in the CSM
configuration management Git repository has not changed. If the commit has not changed since the
last time this step was run, this step may be skipped, because the previously created CFS configuration
will still work.
Create a file containing only this CFS configuration layer.
The file contents should be as follows, except replace the <INSERT GIT COMMIT ID>
text with the commit in the
CSM configuration management Git repository that is in use.
{
"layers": [
{
"name": "ncn-root-keys-update",
"clone_url": "https://api-gw-service-nmn.local/vcs/cray/csm-config-management.git",
"playbook": "rotate-ssh-keys-mgmt-nodes.yml",
"commit": "<INSERT GIT COMMIT ID>"
}
]
}
Create the ncn-root-keys-update
configuration in CFS.
Replace the <INSERT FILE PATH HERE>
text with the path to the file created in the previous step.
If a CFS configuration already exists with this name, the following command will overwrite it.
cray cfs v3 configurations update ncn-root-keys-update --file <INSERT FILE PATH HERE>
(ncn-mw#
) Create a CFS configuration session to apply the SSH keys update.
cray cfs v3 sessions create --name ncn-root-keys-update-`date +%Y%m%d%H%M%S` --configuration-name ncn-root-keys-update
Monitor the CFS session.
The csm.ssh_key
Ansible role supports setting SSH keys for non-root users.
Make a copy of the rotate-ssh-keys-mgmt-nodes.yml
Ansible playbook and modify the role variables to specify
a different ssh_keys_username
.
Using that username, add the SSH keys to Vault.
Create a configuration layer using the new Ansible playbook and create a CFS session using that layer.