I had seen the new "create push-pem" option and gave it a try today. I
see that it does indeed create a different key with a different command
in the authorized_keys file.
One question remains though and this stems back to bug #1091079.
push-pem expects you to have setup passwordless SSH access already so
what is the point of adding further lines to authorized_keys when
general access is already allowed? Surely this is bad for security?
Wouldn't it be better for push-pem to prompt for a password so that
only the required access is added?
push-pem expects password less SSH b/w the node where the CLI is executed and a slave node (the slave endpoint used session creation). It then adds master's SSH keys to authorized_keys on all slave nodes (prepended with command=... for restricting access to gsyncd). As you said, prompting for password is definitely better and should be thought of.
Non-root geo-replication does not work as of now (upstream/3.5). I'm in the process of getting in to work (patch http://review.gluster.org/#/c/7658/ in gerrit). Even with this you'd need password less SSH to one of the nodes on the slave (to an unprivileged user in this case). Your argument of prompting for password still holds true here.
I see the document link you mentioned in BZ #1091079 (comment #2) still points to old style geo-replication (we'd need to correct that). Are you following that in any case? Comment #1 points to the correct URL.
Thanks,
-venky
-venky
IRC: overclk on #freenode
_______________________________________________ Gluster-users mailing list Gluster-users@xxxxxxxxxxx http://supercolony.gluster.org/mailman/listinfo/gluster-users
