Re: Misc development news (#8)
On Sun, Jun 01, 2008 at 11:10:42AM +0100, Philip Hands wrote:
> While this is initially for our (DSA's) benefit, in that it makes applying
> global changes easier, it's also for user's benefit.
Er, "we're taking away your options for your own good"? :)
> -- compare the effort required to ensure that there are no copies of a key
> (that was on a stolen laptop, say), on every debian host you _might_ have
> copied it to, to the effort of sending a single mail and knowing you're
> If there's some reason that you want specific keys to only give access
> to specific hosts, and if the reason justifies the effort, I suppose it
> would be possible to come up with a way of tagging which hosts any
> particular key should give access to in LDAP -- is that why you're
> worried about the loss of this feature?
The particular use case, which Peter is familiar with already since he's
been having to field requests from the d-i porters, is that daily builds of
the installer images run as unattended jobs and are rsync'ed to gluck using
passphraseless keys. Those of us who are security-conscious don't want
those keys to be usable for anything aside from the single task of running
an rsync server on a single system.
So tagging a key as belonging to a particular host is insufficient - we need
the full authorized_keys semantics for setting key options (from=, command=,
no-port-forwarding, no-X11-forwarding, at least).
There is a workaround available in the form of "ping weasel, get a symlink
that lets you do your mirroring thing on gluck", but it's still
unsatisfactory in that it remains easier for users to do the wrong thing by
giving their single-use keys global rights via LDAP than to coordinate with
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/