You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SSH-keys: it is not clear whether creating a separate key for each node significantly enhances security. On the downside it increases the possibility of forgetting/mixing passwords and losing access to nodes. Besides, there are other ways of storing ssh keys like hardware tokens, etc. I think we should avoid giving direct instructions here and rely on user's choice... we can't know his workflow and habits (does he share his computer with someone? does he install spyware?). Hopefully, if he's into crypto, he understands the importance of keeping private keys private and using strong passwords, in which case, he can manage with a few keypairs.
So, as a guideline, I think we should recommend creating a separate password-protected key for each POA network (= 2 keys max at the moment). This can also help prevent accidental updates on wrong network. But, we leave it up to user to choose a keypair here.
This note should go to the very beginning of the doc, because ---->
----> in the opening line "Create Ubuntu 16.04 Server Image..." it assumes that user created a server himself, most probably he had to provide ssh key during this process. Later down the doc he creates a new user on the server and a new key, but access with the original key is not revoked, so there are two keys to access the same server now. I think if in (1) we describe how to choose a key for the server then there is no need to create additional keypair later.
however, it should be explicitly stated, that user must use a password-protected keypair, even though ssh allows password-less keys. + each key should have a different strong password.
In the original versions of these guides I missed that there is an ansible-playbook option --ask-become-pass that prompts for sudo password. So it seems we can remove the requirement to create an additional user who can execute sudo without password, and add a note about this option instead.
When there are multiple keypairs in ~/.ssh, it's possible to tell ansible-playbook which one to use by providing --private-key option with full path to the private key, e.g. ansible-playbook -i hosts site.yml --key-file ~/.ssh/id_poa_sokol.
This is for discussion... few thoughts regarding https://github.com/poanetwork/wiki/wiki/Non-AWS-Node-Setup
SSH-keys: it is not clear whether creating a separate key for each node significantly enhances security. On the downside it increases the possibility of forgetting/mixing passwords and losing access to nodes. Besides, there are other ways of storing ssh keys like hardware tokens, etc. I think we should avoid giving direct instructions here and rely on user's choice... we can't know his workflow and habits (does he share his computer with someone? does he install spyware?). Hopefully, if he's into crypto, he understands the importance of keeping private keys private and using strong passwords, in which case, he can manage with a few keypairs.
So, as a guideline, I think we should recommend creating a separate password-protected key for each POA network (= 2 keys max at the moment). This can also help prevent accidental updates on wrong network. But, we leave it up to user to choose a keypair here.
This note should go to the very beginning of the doc, because ---->
----> in the opening line "Create Ubuntu 16.04 Server Image..." it assumes that user created a server himself, most probably he had to provide ssh key during this process. Later down the doc he creates a new user on the server and a new key, but access with the original key is not revoked, so there are two keys to access the same server now. I think if in (1) we describe how to choose a key for the server then there is no need to create additional keypair later.
however, it should be explicitly stated, that user must use a password-protected keypair, even though
sshallows password-less keys. + each key should have a different strong password.In the original versions of these guides I missed that there is an
ansible-playbookoption--ask-become-passthat prompts for sudo password. So it seems we can remove the requirement to create an additional user who can executesudowithout password, and add a note about this option instead.When there are multiple keypairs in
~/.ssh, it's possible to tellansible-playbookwhich one to use by providing--private-keyoption with full path to the private key, e.g.ansible-playbook -i hosts site.yml --key-file ~/.ssh/id_poa_sokol.