Greetings everyone. As you may know we are planning on rolling out our new account system in a few weeks. During this changeover it might be a good time (or might not!) to change how our ssh auth for git works with src.fedoraproject.org (well, pkgs.fedoraproject.org really). How it works now: * All users in the 'packager' group have accounts on pkgs01.iad2 * All these users have a 'wrapper' on their ssh key that runs the pagure wrapper that checks who they are, etc. Cons: * only packagers have accounts for ssh, so non packagers just get permission denied and it confuses them. * operating on the idea of least privledge, having everyone in the packager group having real accounts seems wrong/bad. How we could change it: 1) Do nothing. We could add packager again when we move to sssd/ipa and everything keeps working pretty much the same way it does now. 2) We could move from ssh://username@pkgs to ssh://git@pkgs and not have real shell accounts for packagers. Everything would get sorted out by the wrapper on the git account. Cons: * Everyone with an existing checkout would have to update their url * We still have to deal with ssh port open to the world Pros: * Everyone could use the ssh://git@pkgs url, no need to just be a packager 3) We could just retire the ssh part of this and ask everyone to use https. Cons: * Everyone who had a ssh checkout would have to change it to https. * Some people like ssh over https and would be mad at us. * https pushing needs a browser to get a token, so it would be a pain for people with no local gui session. Pros: * No need to have the ssh port on pkgs01.iad2 open to the internet anymore. * https can be load balanced vis proxies, etc 4) We could add some kind of GSSAPI/Kerberos support to pagure, so people could use https and a kerberos ticket. 5) Your idea here So, thoughts? kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
