Re: Uploads of daily D-I builds (was: on .ssh/authorized_keys files)
Op 02-06-2008 om 15:36 schreef Joey Hess: The better choice is to set up authorized_keys on gluck with your new, dedicated d-i daily build key, and then ping weasel or another DSA to symlink it into place in /ssh-keys/ so ssh will actually use it. FWIW /ssh-keys/ is moved to /etc/ssh/userkeys/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Uploads of daily D-I builds (was: on .ssh/authorized_keys files)
On Sat, May 31, 2008 at 01:12:09PM -0700, Steve Langasek wrote: On Sat, May 31, 2008 at 07:35:58PM +0200, Frans Pop wrote: On Friday 30 May 2008, Stephen R Marenka wrote: On Thu, May 29, 2008 at 10:08:02PM +0200, Frans Pop wrote: So basically this is what needs to be done to get uploads for daily D-I builds working again for remaining architectures. Does anybody who has a build running want to coordinate that? Maybe setup a (more) common system for it? I'm willing to coordinate if that will help. I just emailed weasel to find out what the procedure should be. Great. Note that Joey and Steve (vorlon) have now already gotten this done, so you could also ask one of them. Main thing is to try to get it done ASAP for all remaining arches. Well, for me the only procedure was ping weasel on IRC... :) I guess that makes me a bad candidate for success. :( -- Stephen R. Marenka If life's not fun, you're not doing it right! [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: Uploads of daily D-I builds (was: on .ssh/authorized_keys files)
Stephen R Marenka wrote:
I guess that makes me a bad candidate for success. :(
To summarize:
Since the openssl compromise, ~/.ssh/authorized_keys is ignored on
gluck. So keys for daily builds have to be put on in a different way.
One choice would be to use the LDAP interface. But this would add the
key to every debian.org machine, not just gluck, which is suboptimal
from a security POV.
The better choice is to set up authorized_keys on gluck with your new,
dedicated d-i daily build key, and then ping weasel or another DSA to
symlink it into place in /ssh-keys/ so ssh will actually use it.
However, this entails setting up an authorized_keys that they are happy
with the security of. For some reason, they seem to want it to be *more*
secure than the keys you'd put in LDAP. Doesn't entirely make sense to
me why, but more security can't hurt, and more security is why we're not
just putting the key in LDAP, so, ok.
So you'll want to follow the examples in /ssh-keys/{vorlon,joeyh,kyle}.
Vorlon is probably the best example; he checked out
svn://svn.debian.org/d-i/trunk/installer/build into ~/d-i, and set up
his authorized_keys like this:
# alpha bi-daily d-i build -- keep 20 images
from=quetzlcoatl.dodds.net,command=~/d-i/d-i-unpack-helper alpha 20 key
here
You can probably get away without the from= if your build system doesn't
have static reverse dns.
--
see shy jo
signature.asc
Description: Digital signature
Re: Uploads of daily D-I builds (was: on .ssh/authorized_keys files)
On Friday 30 May 2008, Stephen R Marenka wrote: On Thu, May 29, 2008 at 10:08:02PM +0200, Frans Pop wrote: So basically this is what needs to be done to get uploads for daily D-I builds working again for remaining architectures. Does anybody who has a build running want to coordinate that? Maybe setup a (more) common system for it? I'm willing to coordinate if that will help. I just emailed weasel to find out what the procedure should be. Great. Note that Joey and Steve (vorlon) have now already gotten this done, so you could also ask one of them. Main thing is to try to get it done ASAP for all remaining arches. Cheers, FJP signature.asc Description: This is a digitally signed message part.
Re: Uploads of daily D-I builds (was: on .ssh/authorized_keys files)
On Sat, May 31, 2008 at 07:35:58PM +0200, Frans Pop wrote: On Friday 30 May 2008, Stephen R Marenka wrote: On Thu, May 29, 2008 at 10:08:02PM +0200, Frans Pop wrote: So basically this is what needs to be done to get uploads for daily D-I builds working again for remaining architectures. Does anybody who has a build running want to coordinate that? Maybe setup a (more) common system for it? I'm willing to coordinate if that will help. I just emailed weasel to find out what the procedure should be. Great. Note that Joey and Steve (vorlon) have now already gotten this done, so you could also ask one of them. Main thing is to try to get it done ASAP for all remaining arches. Well, for me the only procedure was ping weasel on IRC... :) -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Uploads of daily D-I builds (was: on .ssh/authorized_keys files)
On Saturday 31 May 2008, Steve Langasek wrote: Well, for me the only procedure was ping weasel on IRC... :) Sure, but he also asked you to make some changes to your SSH key. Having those requirements communicated to others would save weasel having to request and explain the same thing 12 times. Some may also have to make changes in their build system setup. Knowing how to do that could help too. signature.asc Description: This is a digitally signed message part.
Re: Uploads of daily D-I builds (was: on .ssh/authorized_keys files)
On Thu, May 29, 2008 at 10:08:02PM +0200, Frans Pop wrote: So basically this is what needs to be done to get uploads for daily D-I builds working again for remaining architectures. Does anybody who has a build running want to coordinate that? Maybe setup a (more) common system for it? I'm willing to coordinate if that will help. I just emailed weasel to find out what the procedure should be. Thanks, Stephen -- Forwarded Message -- Subject: on .ssh/authorized_keys files Date: Thursday 29 May 2008 From: Peter Palfrader [EMAIL PROTECTED] To: [EMAIL PROTECTED] The use of ~user/.ssh/authorized_keys files has been disabled since DSA1571 was announced. While our initial plan was to allow them again eventually some bad experience with DDs' key handling has led us to reconsider that intent. So ~user/.ssh/authorized_keys will remain disabled. If you want to login to debian.org hosts using keys you should send them to the LDAP as outlined at URL:https://db.debian.org/doc-mail.html, which allows us to do at least some quality control. Should you need keys only on specific hosts for automated tasks like updating stuff or syncing files between project machines or similar we can enable a user editable authorized_keys file for specific users on specific hosts. Usually we would expect those keys to be limited to use only from certain hosts (using from=xyz) and limited to allow execution of only certain commands (using command=foobar). Contact DSA if you have such a case. Your sysadmins --- -- Stephen R. Marenka If life's not fun, you're not doing it right! [EMAIL PROTECTED] signature.asc Description: Digital signature
Uploads of daily D-I builds (was: on .ssh/authorized_keys files)
So basically this is what needs to be done to get uploads for daily D-I builds working again for remaining architectures. Does anybody who has a build running want to coordinate that? Maybe setup a (more) common system for it? Cheers, FJP -- Forwarded Message -- Subject: on .ssh/authorized_keys files Date: Thursday 29 May 2008 From: Peter Palfrader [EMAIL PROTECTED] To: [EMAIL PROTECTED] The use of ~user/.ssh/authorized_keys files has been disabled since DSA1571 was announced. While our initial plan was to allow them again eventually some bad experience with DDs' key handling has led us to reconsider that intent. So ~user/.ssh/authorized_keys will remain disabled. If you want to login to debian.org hosts using keys you should send them to the LDAP as outlined at URL:https://db.debian.org/doc-mail.html, which allows us to do at least some quality control. Should you need keys only on specific hosts for automated tasks like updating stuff or syncing files between project machines or similar we can enable a user editable authorized_keys file for specific users on specific hosts. Usually we would expect those keys to be limited to use only from certain hosts (using from=xyz) and limited to allow execution of only certain commands (using command=foobar). Contact DSA if you have such a case. Your sysadmins --- signature.asc Description: This is a digitally signed message part.
