Limit SSH Access To Admins
under review
Nathan Fish
under review
Nathan Fish
We just introduce expression based context restrictions which allows you to not allow certain contexts to be available within an SSH rerun. It addresses some of the concerns around SSH rerun but doesn't directly address the desire to limit SSH reruns to just admins.
J
Justin Wiley
Nathan Fish thanks Nathan...is there a place to look for documentation on this or is that coming?
Nathan Fish
Justin Wiley absolutely! Should have included that in the first place. https://circleci.com/docs/contexts/#expression-restrictions
Manish Vyas
Nathan Fish We can see that the expression based context restrictions has exceptions to pipeline.trigger_parameters.* pipeline values.
Just want to confirm if we can use trigger parameters in the expressions.
Nathan Fish
Manish Vyas trigger_parameters are all the metadata from the inbound webhook. We don't allow access because a bad actor could spoof those parameters and they are generally unbounded. If there is a specific parameter you are interested in or use case you can provide we can evaluate options to make that possible.
Manish Vyas
Nathan FishWe were checking on using the expressions based on the github metadata to restrict the users to use rerun ssh feature. Let us know if that is possible using the expressions.
Nathan Fish
Manish Vyas: One option would be to create a context with restriction "not job.ssh.enabled" and then require that context in the workflow as documented in the contexts overview https://circleci.com/docs/contexts/#overview. This would effectively prevent ssh rerun access. You could get more complicated by layering your rules based on branch, etc.
Manish Vyas
Nathan Fish Thanks for the reply, we can have workflow to use a separate context to prevent ssh. But even in that case it will restrict the existing admins to not use the workflow because same context it used by security groups of developers and admins.
Nathan Fish
Manish Vyas: Thanks for the additional information. We will continue to look at additional options for this problem.
Nathan Fish
Small update here. We now have an experimental end point to set a number of advanced settings on projects.
G
Gabriel Koo
Nathan Fish: Thank you very much!!!
I
Igor Buchmueller
Nathan Fish: Thanks for the effort,
Is there a working example where you can configure a CircleCI project so that only a specific (github) role (e.g. admins) can do SSH access?
As I understand it, that was the requirement of the feature request. I have gone through the API calls and cannot recognise the function. Maybe I'm missing something? Thank you!
Manish Vyas
Nathan Fish:Thank you for providing us the api for updating project settings but on setting disable_ssh to true, it also disables the rerun ssh for admin users, do we have any flag which only enables rerun ssh for admin users?
Nathan Fish
Igor Buchmueller: We also added an "admin" only option to project settings so you can limit whom can edit project settings.
Nathan Fish
Manish Vyas: Not yet. We are looking at ways to limit SSH rerun to a group of users. No timeline yet on when that will be completed.
D
Daniel Castronovo
Nathan Fish: It's a big security issue, please prioritize this feature, the community and customers need this !
Nathan Fish
Daniel Castronovo: We plan to offer the ability to limit SSH reruns to a group of users. No timeline yet but we are working on it.
Manish Vyas
Nathan Fish Do we have any update on the tentative time when this feature will be available
Nathan Fish
Manish Vyas We don't have a current timeline. We did just introduce expression based context restrictions which does allow you to not make contexts available within an SSH rerun. It address some of the concerns around SSH rerun but doesn't directly address the desire to limit SSH reruns to just admins.
Nathan Fish
in progress
Manish Vyas
Nathan Fish: Hi Nathan,
Do we have any update on this feature?
Lucas Coppio
At least allow us to enable/disable ssh per user, at the very least allow some kind of control.
Nathan Fish
planned
We are working on access controls for SSH Rerun and you should all see some options over the next few months.
D
Daniel Castronovo
Any news ? this is a security basics !
Dean Hiller
yes, much like context you can pick a github team, we need to pick a github team and only they can do the 'Rebuild with SSH'. Here is the scenario
- all code reviewed in US and forced PR review is on so they can't land it-meaning they can't change config.yml without us knowing
- github team is only ones with access to ssh
so you would need TWO people(one hacking and one reviewer) to pull this off AND if they did, there is an audit trail as well for legal action.
We have nothing with this ssh feature except a huge hole in security.
I
Igor Buchmueller
Any updates on this?
This is a really show stopper, for companies, in an enterprise environment.
M
Mazedur Rahman
Any updates on this? This is a big blocker for CD to prod for compliance reason.
Load More
→