Passwords Passwords are unpleasant Hard to remember Remember a couple Single points of failure Algorithmic passwords are also flawed Use 'pwgen' to make decent passwords Still hard to remember

Storing passwords in a vault Why not put your passwords in a file Password protect the file Single point of failure has shifted to a private file Still not ideal, but certainly safer than 1 password to each thing Plenty of password managers out there: 1Password, KeePass, LastPass, pass

pass password manager Uses GPG keypair for encryption/decryption of passwords Stores each password in a separate file All files kept in a GIT repo Allows push/pulling to/from machines you control Do not put them on GitHub/BitBucket/etc. Lots of platforms supported

Making GPG keys – Quick redux Check LPI-102 Topic 110 gpg --gen-key [Generate a key interactively] gpg --output revoke.asc --gen-revoke mykey [Generate revocation cert. Critical for identity keys!] gpg --export-secret-key -a “MyUser” -o priv.key Export secret key, needed on every device to decrypt passwords gpg --export-public-key -a “MyUser” -o pub.key Export public key, needed on every device to encrypt passwords

Setting up pass pass init foo@bar.com Uses GPG key for foo@bar.com pass git init pass git remote add origin myVPS.com:somefolder pass git push -u all pass generate Logins/Netsoc 32 Makes a 32-char long password in the file Logins/Netsoc pass git push

Cool things Each folder (e.g. Logins/Netsoc) can have its own GPG key to en/decrypt $folder/.gpg-id contains the GPG secret key ID The path is, by default, ~/.password-store Use gpg-agent to stop having to enter password repeatedly eval “$(gpg-agent –daemon)” Has clipboard feature; stores password for 45 seconds pass -c Logins/Netsoc

Managing lots of machines Very relevant to the ~~~cloud~~~ Two types of methods: Configuration management Remote shells Lots of different configuration management software: Salt, Ansible, Puppet, Chef, CFEngine, Bcfg2, Spacewalk, etc. Many different approaches too: Enforcing/Passive Agent/Agentless Symmetric/Asymmetric communication layer Config storage: JSON/XML/LDAP/????

Remote shells Quick way to execute commands on many servers Fast hack: tmux with 'setw synchronize-panes' Better way: pdsh fab Also a deployment system

Monitoring machines Lots of machines => lots of possible failures Need monitoring and alerting systems Very detailed monitoring can be done with collectd Can output to syslog, files, CSV, etc. Syslog can be directed to a syslog server (or something like logstash) Round-robin remote monitoring done with cacti/munin Munin is very simple, uses telnet(!) to gather data

Monitoring machines A few options Nagios Zabbix Icinga (holy war with nagios) Nagios uses emails/pagers to alert people to problems Problems are when some script nagios fires fails Three states: Normal (or recovered) Warning Critical

Nagios Two ways of monitoring: Get central node to check remote with commands over SSH Generally called “Push monitoring” Ask remote nodes for information using NRPE Generally called “Pull monitoring” NRPE – Nagios Remote Plugin Execution Scripts for testing system exist on client, and are fired when client receives instruction from master Can get mixture of both (if you want to make people sad)

Asset management Managing equipment is messy Lots of bureaucracy Use ralph (http://allegro.tech/ralph/) Geared towards physical datacentres Less appropriate for cloud stuff

Backups Critical Drives die, and you can be stuck without anything Lots of software for backups Acronis, Bacula, Amanda, rsync(!) Netsoc uses bacula 4 components: Director: Tells things to backup Storage-daemon: Place where backups are put File-daemon: Places where backups come from Console: Lets you check things