Re: tar_ssh.pem?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 30 Apr 2014 20:25:03 +0100
James Le Cuirot <chewi@xxxxxxxxxxxxxxxxx> wrote:

> > > On April 28, 2014 6:03:16 AM PDT, Venky Shankar
> > > <vshankar@xxxxxxxxxx> wrote:
> 
> > >> On 04/27/2014 11:55 PM, James Le Cuirot wrote:
> > >>> I'm new to Gluster but have successfully tried geo-rep with
> > >>> 3.5.0. I've read about the new tar+ssh feature and it sounds
> > >>> good but nothing has been said about the tar_ssh.pem file that
> > >>> gsyncd.conf references. Why is a separate key needed? Does it
> > >>> not use gsyncd on the other end? If not, what command should I
> > >>> lock it down to in authorized_keys, bug #1091079
> > >>> notwithstanding?
> 
> > >> geo-replication "create push-pem" command should add the keys on
> > >> the slave for tar+ssh to work. That is done as part of geo-rep
> > >> setup.
> 
> I had seen the new "create push-pem" option and gave it a try today. I
> see that it does indeed create a different key with a different
> command in the authorized_keys file.
> 
> One question remains though and this stems back to bug #1091079.
> push-pem expects you to have setup passwordless SSH access already so
> what is the point of adding further lines to authorized_keys when
> general access is already allowed? Surely this is bad for security?
> Wouldn't it be better for push-pem to prompt for a password so that
> only the required access is added?

Sorry for this but could I please get an answer on the above? Security
is a very big deal for us as it should be for everyone here. I gather
the mountbroker can be used to do this replication as non-root which
helps but general SSH access for this user is something I would still
like to avoid if it is really not necessary.

Regards,
James
_______________________________________________
Gluster-users mailing list
Gluster-users@xxxxxxxxxxx
http://supercolony.gluster.org/mailman/listinfo/gluster-users




[Index of Archives]     [Gluster Development]     [Linux Filesytems Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux