Re: [rt.debian.org #7779] Semi-automated sync to vittoria -- SSH key management

To: rt@rt.debian.org
Cc: Debconf Video List <debconf-video@lists.debconf.org>
Subject: Re: [rt.debian.org #7779] Semi-automated sync to vittoria -- SSH key management
From: Louis-Philippe Véronneau <pollo@debian.org>
Date: Wed, 29 May 2019 13:50:32 -0400
Message-id: <[🔎] 4b96e439-8d98-4394-eb7b-d555317fcf13@debian.org>
In-reply-to: <rt-4.4.1-3+deb9u3-12952-1559121236-1807.7779-6-0@debian.org>
References: <RT-Ticket-7779@debian.org> <46d47585-c583-cab0-47ed-bf85e42e5ebf@debian.org> <rt-4.4.1-3+deb9u3-12952-1559121236-1807.7779-6-0@debian.org>

On 19-05-29 05 h 13, Hector Oron via RT wrote:
> Sobre Dis 25 Mai 2019 15:07:52, pollo@debian.org ha escrit:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Hi!
>>
>> I'm following up on issue #13 in our ansible bug tracker [1] about
>> setting up a semi-automated sync to vittoria.
>>
>> During confs and mini-confs, we need to be able to sync files from the
>> voctomix (live video mixer) machines in the rooms to Vittoria.
>>
>> Currently, the way we do it is that a member of the videoteam group adds
>> temporary SSH keys to their Debian account for that machine.
>>
>> What we would like to do is to be able to add restricted SSH keys,
>> allowed to access the sreview user, in the form of:
>>
>> - ----------------------------------------------------------------------
>> command="/srv/sreview.debian.org/home/bin/rrsync -wo
>> /srv/sreview.debian.org/input",no-agent-forwarding,no-port-forwarding,no
>> - -pty,no-user-rc,no-X11-forwarding
>> ssh-rsa AAAAB[...]KYl videoteam@voctomixXY
>> - ----------------------------------------------------------------------
>>
>> The actual sync is done via a CLI script (which is a basic rsync
>> wrapper) that can be found here [2]. The rrsync script is directly
>> gunzipped from rsync's documentation.
>>
>> It seems that 1 year ago when Wouter approached DSA on IRC, you seemed
>> open to the ideas as long as the authorized keys changes were done
>> through a command line interface rather than through a webinterface.
>>
>> Modifying the authorized_keys file would be done manually by a member of
>> the team at the beginning of each conference.
> 
> What do you exactly need from DSA?

The current /etc/ssh/sshd_config file uses:

AuthorizedKeysFile /etc/ssh/userkeys/%u /var/lib/misc/userkeys/%u
/etc/ssh/userkeys/%u.more

This means /home/sreview/.ssh/authorized_keys isn't read by openssh-server.

If DSA agrees to what were proposing, this file would need to be read by
the openssh-server to let us sync files via rrsync.

-- 
  ⢀⣴⠾⠻⢶⣦⠀
  ⣾⠁⢠⠒⠀⣿⡁  Louis-Philippe Véronneau
  ⢿⡄⠘⠷⠚⠋   pollo@debian.org / veronneau.org
  ⠈⠳⣄

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Prev by Date: Mobile app & Website Development
Next by Date: Re: Video Team
Previous by thread: Mobile app & Website Development
Index(es):
- Date
- Thread