On Wed, 30 Apr 2014 20:25:03 +0100 James Le Cuirot <chewi@xxxxxxxxxxxxxxxxx> wrote: > > > On April 28, 2014 6:03:16 AM PDT, Venky Shankar > > > <vshankar@xxxxxxxxxx> wrote: > > > >> On 04/27/2014 11:55 PM, James Le Cuirot wrote: > > >>> I'm new to Gluster but have successfully tried geo-rep with > > >>> 3.5.0. I've read about the new tar+ssh feature and it sounds > > >>> good but nothing has been said about the tar_ssh.pem file that > > >>> gsyncd.conf references. Why is a separate key needed? Does it > > >>> not use gsyncd on the other end? If not, what command should I > > >>> lock it down to in authorized_keys, bug #1091079 > > >>> notwithstanding? > > > >> geo-replication "create push-pem" command should add the keys on > > >> the slave for tar+ssh to work. That is done as part of geo-rep > > >> setup. > > I had seen the new "create push-pem" option and gave it a try today. I > see that it does indeed create a different key with a different > command in the authorized_keys file. > > One question remains though and this stems back to bug #1091079. > push-pem expects you to have setup passwordless SSH access already so > what is the point of adding further lines to authorized_keys when > general access is already allowed? Surely this is bad for security? > Wouldn't it be better for push-pem to prompt for a password so that > only the required access is added? Sorry for this but could I please get an answer on the above? Security is a very big deal for us as it should be for everyone here. I gather the mountbroker can be used to do this replication as non-root which helps but general SSH access for this user is something I would still like to avoid if it is really not necessary. Regards, James _______________________________________________ Gluster-users mailing list Gluster-users@xxxxxxxxxxx http://supercolony.gluster.org/mailman/listinfo/gluster-users
