Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • tpa-rfc-80-merge-tor-and-tails-support-policies
  • puppet-merge-costs
  • rfc-77-improv
  • tails-merge-admin-mailing-lists
  • mkdocs
  • new-blog-doc
7 results
Blame Permalink
accounts.creole 6.89 KiB

torproject.org Accounts

The Tor project keeps all user information in a central LDAP database which governs access to shell accounts, git (write) access and lets users configure their email forwards.

It also stores group memberships which in turn affects which users can log into which https:db.torproject.org/machines.cgi.

<a id="ldap-or-alias">Decision tree: LDAP account or email alias?</a>

Here is a simple decision tree to help you decide if a new contributor needs an LDAP account, or if an email alias will do. (All things being equal, it's better to set people up with only an email alias if that's all they need, since it reduces surface area which is better for security.)

Are they a maintainer for one of our official software projects, meaning they need to push commits (write) to one of our git repos? If yes, they should have an LDAP account.

Do they need to access (read) a private git repo, like "dirauth-conf"? If yes, they should have an LDAP account.

Do they want to make their own personal clones of our git repos, for example to propose patches and changes? If yes, and also they are a Core Contributor, they should have an LDAP account. If yes, but they're not a Core Contributor, they should put their git repos somewhere else, like github or gitlab.

Do they need to log in to our servers, for example to maintain one of our websites or services, or to use our irc bouncer? If yes, and also they are a Core Contributor, they should have an LDAP account.

Are they a Core Contributor, but none of the above cases apply to them? If so, they should have an email alias.

<a id="new-account">New accounts</a>

New accounts have to be sponsored by somebody who already has a torproject.org account. If you need an account created, please find somebody in the project who you are working with and ask them to request an account for you.

Step 1

The sponsor will collect all required information:

  • name,
  • initial forwarding email address (the user can change that themselves later),
  • pgp key fingerprint,
  • desired username.

The sponsor is responsible for verifying the information's accuracy, in particular establishing some confidence that the key in question actually belongs to the person that he wants to have access.

The user's PGP key should be available from the public keyserver network.

The sponsor will create a ticket in https:trac.torproject.org/projects/tor/newticket in the Tor Sysadmin Team component:

  • The ticket should include a short rationale as to why the account is required,
  • contain all the pieces of information listed above, and
  • should be PGP signed by the sponsor using the PGP key we have on file for them. Please enclose the pgp clearsigned blob using {{{ and }}}.

Step n+1

Once the request has been filed it will be reviewed by Roger or Nick and either approved or rejected.

If the board indicates their assent, the sysadmin team will then create the account as requested.

<a id="get-access">Getting added to an existing group/Getting access to a specific host</a>

Most of the time when people want access to a specific host, what they really want is getting added to a particular group -- almost all privileges in our infrastructure, such as account on a particular host, sudo access to a role account, or write permissions to a specific directory, come from group memberships.

If you want to get added to some unix group, you will have to find an existing member of that group. They should then request on trac -- ideally in a PGP signed message (as above in the new account creation section) -- that you be added to their group.

Should the group be orphaned or have no remaining active members, the same set of people who can approve new account requests can request you be added.

To find out who is on a specific group you can ssh to perdulce:

$ ssh perdulce.torproject.org

Then you can run:

$ getent group

See also: the "Host specific passwords" section below

<a id="aliases">Getting added to an existing email alias</a>

Similar to being added to an LDAP group, the right way to get added to an existing email alias is by getting somebody who is already on that alias to file a ticket asking for you to be added.

For specifics, see the "The sponsor will create a ticket" section above: create a ticket specifying the alias, the new address to add, and a brief motivation for the change.

<a id="password-reset">Changing/Resetting your passwords</a>

LDAP

If you've lost your LDAP password, you can request that a new one be generated. This is done by sending the phrase "Please change my Debian password" to chpasswd@db.torproject.org. The phrase is required to prevent the daemon from triggering on arbitrary signed email. The best way to invoke this feature is with

echo "Please change my Debian password" | gpg --armor --sign | mail chpasswd@db.torproject.org

After validating the request the daemon will generate a new random password, set it in the directory and respond with an encrypted message containing the new password. This new password can then be used to https:db.torproject.org/login.html (click the "Update my info" button), and use the "Change password" fields to create a new LDAP password.

Host specific passwords / sudo passwords

Please note that, after https:db.torproject.org/login.html, that the "sudo passwords" fields at the very bottom of the {{{"Update my info"}}} form DO NOT WORK.

Your sudo password is the same for all machines on which you have sudo privileges; it is your LDAP password. The mail responder at changes@db.torproject.org will take you through a plausible, and perhaps enjoyable, series of puzzles, but BEWARE: THE CAKE IS A LIE.

<a id="key-rollover">Changing/Updating your PGP key</a>

If you are planning on migrating to a new PGP key and you also want to change your key in LDAP, or if you just want to update the copy of your key we have on file, you need to create a ticket in https:trac.torproject.org/projects/tor/newticket in the Tor Sysadmin Team component:

  • The ticket should include your username, your old PGP fingerprint and your new PGP fingerprint (if you're changing keys).
  • The ticket should be PGP signed with your PGP key that is currently stored in LDAP.

Revoked or lost old key

If you already revoked or lost your old PGP key and you migrated to a new one before updating LDAP, you need to find a sponsor to create a ticket for you. The sponsor should create a ticket in https:trac.torproject.org/projects/tor/newticket in the Tor Sysadmin Team component:

  • The ticket should include your username, your old PGP fingerprint and your new PGP fingerprint.
  • Your PGP key needs to be on a public keyserver and be signed by at least one Tor person other than your sponsor.
  • The ticket should be PGP signed with the current valid PGP key of your sponsor.