Stephen R Marenka wrote:
> I guess that makes me a bad candidate for success. :(
To summarize:
Since the openssl compromise, ~/.ssh/authorized_keys is ignored on
gluck. So keys for daily builds have to be put on in a different way.
One choice would be to use the LDAP interface. But this would add the
key to every debian.org machine, not just gluck, which is suboptimal
from a security POV.
The better choice is to set up authorized_keys on gluck with your new,
dedicated d-i daily build key, and then ping weasel or another DSA to
symlink it into place in /ssh-keys/ so ssh will actually use it.
However, this entails setting up an authorized_keys that they are happy
with the security of. For some reason, they seem to want it to be *more*
secure than the keys you'd put in LDAP. Doesn't entirely make sense to
me why, but more security can't hurt, and more security is why we're not
just putting the key in LDAP, so, ok.
So you'll want to follow the examples in /ssh-keys/{vorlon,joeyh,kyle}.
Vorlon is probably the best example; he checked out
svn://svn.debian.org/d-i/trunk/installer/build into ~/d-i, and set up
his authorized_keys like this:
# alpha bi-daily d-i build -- keep 20 images
from="quetzlcoatl.dodds.net",command="~/d-i/d-i-unpack-helper alpha 20" <key here>
You can probably get away without the from= if your build system doesn't
have static reverse dns.
--
see shy jo
Attachment:
signature.asc
Description: Digital signature