From b6b6adaf77828008ed7ab765f78b2d2180a4e577 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Thu, 15 Feb 2024 13:25:08 -0500
Subject: [PATCH] document root password rotation (tpo/tpa/team#41530)

---
 service/password-manager.md | 47 +++++++++++++++++++++++++++++++++++--
 1 file changed, 45 insertions(+), 2 deletions(-)

diff --git a/service/password-manager.md b/service/password-manager.md
index 9d951ea6..1ec17273 100644
--- a/service/password-manager.md
+++ b/service/password-manager.md
@@ -143,11 +143,54 @@ lesser priority, but should nevertheless be processed:
 It might be worth examining the service list to prioritize some of
 them.
 
+Note that it's impossible to change the following passwords:
+
+ * [DNSwl](https://www.dnswl.org/): they specifically refuse to allow users to change their
+   passwords (!) ("To avoid any risks of (reused) passwords leaking as
+   the result of a security incident, the dnswl.org team preferred to
+   use passwords generated server-side which can not be set by the
+   user.")
+
+The following need coordination with other teams:
+
+ * anti-censorship: `archive.org-gettor`, `google.com-gettor`
+
 ### root
 
-Next, the root passwords need to be rotated.
+Next, the root passwords should be rotated. This can be automated with
+a [Fabric](howto/fabric) task, and should be tested with a single host first:
 
-TODO: fabric task?
+    fab -H survey-01.torproject.org host.password-change --pass-dir=tor/root
+
+Then go on the host and try the generated password:
+
+    ssh survey-01.torproject.org
+
+then:
+
+    login root
+
+Typing the password should just work there. If you're confident in the
+procedure, this can be done for all hosts with the delicious:
+
+    fab -H $(
+      echo $(
+        ssh puppetdb-01.torproject.org curl -s -G http://localhost:8080/pdb/query/v4/facts \
+        | jq -r ".[].certname" | sort -u \
+      ) | sed 's/ /,/g'
+    ) host.password-change --pass-dir=tor/root
+
+If it fails on one of the host (e.g. typically `dal-rescue-02`), you can skip past that host with:
+
+    fab -H $(
+      echo $(
+        ssh puppetdb-01.torproject.org curl -s -G http://localhost:8080/pdb/query/v4/facts \
+        | jq -r ".[].certname" | sort -u \
+        | sed '0,/dal-rescue-02/d'
+      ) | sed 's/ /,/g'
+    ) host.password-change --pass-dir=tor/root
+
+Then the password needs to be reset on that host by hand.
 
 ### OOB
 
-- 
GitLab