Thcipriani has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/369817 )
Change subject: keyholder: public keys publicly readable ...................................................................... keyholder: public keys publicly readable As we add more identities to keyholder, we're beginning to run up against the `MaxAuthTries` limit for sshd server. We can get around this in scap by passing an explicit identityfile for ssh. Ssh documentation seems to suggest that identityfiles are meant to be private keys; however, it seems that it is actually reading the public key files associated with a private key when a private key is passed as an identityfile. Public keys passed as identityfiles work fine in openssh. These public keys are already available to anyone who has read access to the keyholder proxy sock (everyone with ssh access to tin - which is how I was able to test the modified scap command). This change just makes the public read of public keys more explicit. This change is needed for scap patch in phabricator: D733 Bug: T172333 Change-Id: Ic09e544fd8532785967673c65de905df44bd958a --- M modules/keyholder/manifests/agent.pp 1 file changed, 1 insertion(+), 1 deletion(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/17/369817/1 diff --git a/modules/keyholder/manifests/agent.pp b/modules/keyholder/manifests/agent.pp index dc260cf..f7d5eb2 100644 --- a/modules/keyholder/manifests/agent.pp +++ b/modules/keyholder/manifests/agent.pp @@ -61,7 +61,7 @@ show_diff => false, owner => 'root', group => 'keyholder', - mode => '0440', + mode => '0444', } # generate the mapping between groups and keys. Used by ssh-agent-proxy -- To view, visit https://gerrit.wikimedia.org/r/369817 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ic09e544fd8532785967673c65de905df44bd958a Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Thcipriani <tcipri...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits