Add SSH certificates documentation

[adamlazik1]

What changes are you introducing?

Documenting the SSH certificate feature https://projects.theforeman.org/issues/38478)

Why are you introducing these changes? (Explanation, links to references, issues, etc.)

Anything else to add? (Considerations, potential downsides, alternative solutions you have explored, etc.)

Contributor checklists

• I am okay with my commits getting squashed when you merge this PR.
• I am familiar with the contributing guidelines.

Please cherry-pick my commits into:

• Foreman 3.17/Katello 4.19
• Foreman 3.16/Katello 4.18 (Satellite 6.18; orcharhino 7.6)
• Foreman 3.15/Katello 4.17
• Foreman 3.14/Katello 4.16 (Satellite 6.17; orcharhino 7.4; orcharhino 7.5)
• Foreman 3.13/Katello 4.15 (EL9 only)
• Foreman 3.12/Katello 4.14 (Satellite 6.16; orcharhino 7.2 on EL9 only; orcharhino 7.3)
• We do not accept PRs for Foreman older than 3.12.

[github-actions]

The PR preview for 05ed072 is available at theforeman-foreman-documentation-preview-pr-4592.surge.sh

The following output files are affected by this PR:

• Managing_Configurations_Ansible/index-foreman-deb.html
• Managing_Configurations_Ansible/index-foreman-el.html
• Managing_Configurations_Ansible/index-foremanctl-katello.html
• Managing_Configurations_Ansible/index-foremanctl-orcharhino.html
• Managing_Configurations_Ansible/index-foremanctl-satellite.html
• Managing_Configurations_Ansible/index-katello.html
• Managing_Configurations_Ansible/index-orcharhino.html
• Managing_Configurations_Ansible/index-satellite.html
• Managing_Hosts/index-foreman-deb.html
• Managing_Hosts/index-foreman-el.html
• Managing_Hosts/index-foremanctl-katello.html
• Managing_Hosts/index-foremanctl-orcharhino.html
• Managing_Hosts/index-foremanctl-satellite.html
• Managing_Hosts/index-katello.html
• Managing_Hosts/index-orcharhino.html
• Managing_Hosts/index-satellite.html

show diff

show diff as HTML

[adamlazik1]

Style review appreciated :)

[maximiliankolb]

Please add [role="_abstract"] to each module before the first paragraph.

[maximiliankolb]

How do you feel about moving this to a new assembly assembly_using-ssh-certificates.adoc?

I also suggestion to add "[leveloffset=+1]" to the assembly, "[]" to the first concept, and "[leveloffset=+1]" for all other modules.

[aneta-petrova]

I second Maximilian's suggestion: Adding some sort of structure to separate the new use case from the other sections would help with navigation. "Configuring and setting up remote jobs" already has dozens of sections (😱) so extra help navigating would surely be appreciated.

[adamlazik1]

Thank you, applied.

[maximiliankolb]

Suggested change

	* On {SmartProxy}, enter the following command:
	* On {SmartProxy}, disable SSH host key verification:

[adamlazik1]

Applied, slightly reworded.

[aneta-petrova]

I second Maximilian's suggestion: Adding some sort of structure to separate the new use case from the other sections would help with navigation. "Configuring and setting up remote jobs" already has dozens of sections (😱) so extra help navigating would surely be appreciated.

[aneta-petrova]

The .Procedure must contain only an uninterrupted sequence of steps to comply with the DITA migration tool. You can move this to the module introduction.

[adamlazik1]

Applied.

[aneta-petrova]

Each command should have its own step, with a description of what that command does. Can you please update this?

[aneta-petrova]

Because the commands are related, you could also introduce them as substeps. So something like:

. Update the `sshd` configuration:
.. Step 1 mkdir
.. Step 2 echo

[adamlazik1]

Applied.

[aneta-petrova]

A second round of feedback based on my reading up on the feature and its purpose. This is mostly centered around making sure the use case is explained properly in the introductions/abstracts.

I also had this thought: https://issues.redhat.com/browse/SAT-28038 (public) provides a hint on what to do when the user key or CA cert need to be rotated. Do you think we should add a procedure for that?

[aneta-petrova]

Suggested change

	This provides verification that {SmartProxy} is connecting to legitimate hosts, preventing man-in-the-middle attacks.
	This provides verification that {SmartProxy} is connecting to legitimate hosts, helping prevent man-in-the-middle attacks.

[adamlazik1]

Wouldn't it be "helping to prevent"?

[Lennonka]

"to" is optional and both are grammatically correct.

[adamlazik1]

Thank you @aneta-petrova and @maximiliankolb for reviews! Here are some of my thoughts:

[adamlazik1]

Wouldn't it be "helping to prevent"?

[adamlazik1]

The file gets created automatically with the correct name, this should be something like a warning to not change it. Any ideas on how to reword it?

[adamlazik1]

This seems like it's repeating itself, how about merge the two sentences into one like this?

"You can configure {SmartProxy} to present an SSH certificate signed by a Certificate Authority (CA) to hosts instead of a plain SSH public key."

[adamlazik1]

We should probably rephrase this somehow, the file gets created with a correct name but it's important to not change it.

[adamlazik1]

Applied, slightly reworded.

[adamlazik1]

Thank you, applied.

[adamlazik1]

Applied.

[adamlazik1]

Applied.

[adamlazik1]

I also had this thought: https://issues.redhat.com/browse/SAT-28038 (public) provides a hint on what to do when the user key or CA cert need to be rotated. Do you think we should add a procedure for that?

Yes, that's a good point. I'll get working on that.

[lhellebr]

This PR adds foreman-installer instructions to foremanctl version of documentation.

[lhellebr]

By "import", you probably just mean "copy the file" but this makes an impression that you want the user to import the key to some keystore. This is also true for other occurences of "import" in this PR.

[adamlazik1]

Applied.

[lhellebr]

If the CA is on a different server...
This really means: if you copied the sat's public key to a different machine (your CA) and signed it, you need to copy back

1. the resulting cert
2. and also the CA's public key

It's confusing and 2) also happened in the preceding import the public key of the {SmartProxy} to the CA server part, although perhaps not to the correct directory.
This should be somehow rephrased together with the aforementioned part.

Also, we shouldn't be too specific because signing a key should be user's responsibility.

[adamlazik1]

Signing has to be done with private CA key, but smart proxy only requires the public CA key. I think we should keep the mention of what files need to be copied for this to work on an external CA server. But I did change "import" for "copy" to be more clear as per your other comment.

[adamlazik1]

I also had this thought: https://issues.redhat.com/browse/SAT-28038 (public) provides a hint on what to do when the user key or CA cert need to be rotated. Do you think we should add a procedure for that?

Yes, that's a good point. I'll get working on that.

Added rotating certs procedure.

[lhellebr]

How? Or what user, group, mod, selinux context is expected?

[adamlazik1]

Honestly if the user doesn't change anything specific or use a non-standard directory then this will work out of the box. The cert has 644 permissions by default.

[aneta-petrova]

So perhaps just a note of some sorts that by default, foreman-proxy has read access, while notifying the users not to change the permissions? It's true that writing "Ensure that ..." invites users to take some sort of action, and if that's not expected here, rephrasing would be a good idea.

[adamlazik1]

Changed this into admonition, please see if it is better.

[lhellebr]

In one of the previous section, the user is instructed to find the correct path in /etc/foreman-proxy/settings.d/remote_execution_ssh.yml but here it is hardcoded.

[adamlazik1]

/var/lib/foreman-proxy/ssh is the default dir for ssh config. While installer provides the option to change it, I am not aware that we have a documented procedure for this. Regardless, some hands-on users could have potentially changed their proxy ssh key, so looking in the settings is a surefire way to identify the correct key. About this procedure, I don't want to instruct users to use a different directory because I have a hunch it can break a lot of REX stuff. There are not only keys in that directory but also known hosts files and host CA known hosts file.

[lhellebr]

I get that, but why does one procedure check that config and the other doesn't?

[adamlazik1]

Oh, I misunderstood. Fixed.

[lhellebr]

Does this need to be run even if the key name is the same? If yes, maybe point this out here?

[adamlazik1]

No. that is a good point. I will make a mention of that.

[adamlazik1]

Added.

[lhellebr]

Although signing is the user's responsibility, consider pointing out that -h option and sometimes principal need to be specified.

[adamlazik1]

Fair point, I will think about it.

[adamlazik1]

Ended up adding the mention about the -h option, but I think we can probably stop there. Signing is user's responsibility.

[lhellebr]

Did you mean: foreman-proxy-plugin-remote-execution-script-ssh-host-ca-public-keys-file?
In other places, too.

[adamlazik1]

Thanks for catching it. Fixed.

[aneta-petrova]

This PR adds foreman-installer instructions to foremanctl version of documentation.

This is still okay right now. The list of foremanctl guides we expose upstream doesn't yet include REX documentation:

foreman-documentation/web/releases/nightly.json

Lines 134 to 152 in 8c1014f

	"title": "Foreman with Katello (containerized)",
	"header": "Foreman {FOREMAN_VER} and Katello {KATELLO_VER} (containerized)",
	"filename": "index-foremanctl-katello.html",
	"sections": {
	"Release notes and upgrading": [
	["Upgrading_Project", "Upgrading Foreman to {FOREMAN_VER}"]
	],
	"Quickstart": [
	["Quickstart", "Quickstart guide"]
	],
	"Deploying Foreman": [
	["Installing_Server", "Installing Foreman Server"]
	],
	"Administering Foreman server": [
	["Configuring_User_Authentication", "Configuring user authentication"]
	],
	"Administering hosts": [
	],
	"Reference": [

Although I recognize that the fact that the GHA preview includes foremanctl preview links is confusing... but users won't be able to see those documents on the docs website.

[adamlazik1]

Applied the second round of feedback.

[aneta-petrova]

A few more thoughts after the latest updates. It's looking good! I'm going to pause my style review for now, to give proper space to tech/testing review now. I'd like to take one final look after tech/testing review is done.

[aneta-petrova]

Can you think of a use case that could help users identify as something applicable to their situation? Such as:

Suggested change

	You can rotate the SSH certificate used by {SmartProxy} for remote execution by generating a new SSH key pair and having it signed by your configured CA.
	If the SSH certificate used by {SmartProxy} for remote execution is no longer valid, rotate the certificate by generating a new SSH key pair and having it signed by your configured CA.

It's a simple thing to add, but helps users find their place in the procedures.

[adamlazik1]

Technically, you can rotate the cert at any time for various reasons, it does not have to be upon cert expiration.

[adamruzicka]

This should also explicitly say that this also affects ansible

[adamruzicka]

In ssh lingo, this would probably be "Using user certificates"

[adamlazik1]

Applied.

[adamruzicka]

In ssh lingo, this would probably be "Using host certificates"

[adamlazik1]

Applied.

[adamruzicka]

Can you use rex to do that at any time or does it have to be done at a specific time in the process otherwise you cut yourself off?

[adamlazik1]

This can be done at any time, smart proxy retains connection to the hosts registered before enabling the feature via plain ssh keys.

[adamruzicka]

This (hosts getting configured on provisioning and registration) should be mentioned explicitly at a more prominent place than in a warning.

[adamlazik1]

Should I move it to the abstract instead?

[aneta-petrova]

I would advise against moving this to the abstract. An abstract is just a summary of the contents of a module, it shouldn't contain any unique information.

What about moving it to the end of the module? It describes the end result of the procedure, right? So then it could work as the summary of the new state after the user follows through with the procedure.

You could even split the warning into the description of the new state and the link. The description of the new state could work as a summary after the last step of the procedure (it needs to be connected to the last step with + to be compliant with DITA migration). And the link to the other procedure could work as part of a .Next steps section.

[adamlazik1]

This should also explicitly say that this also affects ansible

Added in the concept module.