Debian maintainers' ssh keys

To: debian-newmaint@lists.debian.org, debian-admin@lists.debian.org, keyring-maint@debian.org
Subject: Debian maintainers' ssh keys
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Sun, 5 Jul 2015 01:16:22 +0100
Message-id: <[🔎] 21912.30550.226844.122703@chiark.greenend.org.uk>

I am about to upload a version of dgit which uses its own git repo
store rather than alioth, and which would in principle support push
access for DMs.

However, DMs currently do not have access to it because the backend
service is accessed via ssh.[1]

To solve this problem it is necessary to have a list of DMs' ssh
keys, and make them authorised the same way DDs' keys are[2] for the
dgit service user on gideon.debian.org.

I think it is not really acceptable to have a service like this that
cannot be used by DMs.  If we don't have a list of DMs' ssh keys, or
it is too hard to automatically extract such a list, then I can set up
some kind of robot, to which a DM can send their pgp-signed ssh key,
to have it installed.

What do I need to do next to make this happen ?

Thanks,
Ian.

[1] The protection offered by ssh's encryption and authentication is
not the primary barrier to unauthorised updates, but it does prevent
outsiders from being able to consume resources on the server and it
will also prevent them from being able to attack the dgit push
receiver service.

[2] Note that although this grants identical access to the service,
the service itself honours the restrictions in ftpmaster's dm.txt, so
that DMs can only push to `their' packages.

Reply to:

Follow-Ups:
- Re: Debian maintainers' ssh keys
  - From: Peter Palfrader <weasel@debian.org>

Prev by Date: Advocacy for Johan Van de Wauw
Next by Date: Re: Debian maintainers' ssh keys
Previous by thread: Advocacy for Johan Van de Wauw
Next by thread: Re: Debian maintainers' ssh keys
Index(es):
- Date
- Thread