Re: Misc development news (#8)

To: Philip Hands <phil@hands.com>
Cc: debian-project@lists.debian.org
Subject: Re: Misc development news (#8)
From: Steve Langasek <vorlon@debian.org>
Date: Sat, 21 Jun 2008 14:03:56 -0700
Message-id: <[🔎] 20080621210356.GB11960@dario.dodds.net>
Mail-followup-to: Steve Langasek <vorlon@debian.org>, Philip Hands <phil@hands.com>, debian-project@lists.debian.org
In-reply-to: <[🔎] 20080602080248.GM17257@hands.com>
References: <20080530185202.GE20197@ouaza.com> <20080531222122.GA10366@dario.dodds.net> <20080531225024.GI30148@anguilla.noreply.org> <[🔎] 20080601001950.GB18965@dario.dodds.net> <[🔎] 20080601071519.GJ30148@anguilla.noreply.org> <[🔎] 20080601101040.GG17257@hands.com> <[🔎] 20080601165832.GG21516@dario.dodds.net> <[🔎] 878wxo90oi.fsf@vorlon.ganneff.de> <[🔎] 20080602080248.GM17257@hands.com>

On Mon, Jun 02, 2008 at 09:02:50AM +0100, Philip Hands wrote:
> On Mon, Jun 02, 2008 at 01:48:29AM +0200, Joerg Jaspert wrote:
> > On 11403 March 1977, Steve Langasek wrote:

> > > So tagging a key as belonging to a particular host is insufficient - we need
> > > the full authorized_keys semantics for setting key options (from=, command=,
> > > no-port-forwarding, no-X11-forwarding, at least).

> > And? You have that already, just add that in front of your key as you
> > would normally do. ud-ldap passes it. It really "only" needs the
> > "host=gluck,merkel,whatever" addition to also limit it to target hosts
> > and then all is there.

> Actually, it occurs to me that one can already do a poor-man's version
> of the host restriction by making the command option something like:

>    command="hostname | grep -q '^\(gluck\|merkel\|whatever\)$' && ~/d-i/d-i-unpack-helper ..."

> Then, once the host= feature is available it will be possible to upgrade
> to using that in a moment (rather than having to go round tidying up
> on each host) -- in fact, if people are consistent in using the above
> incantation, we could even tweak them all in LDAP when the feature is added.

> Steve, does that address your concerns?

Yes, it does - thanks, I wasn't aware that ud-ldap supported the full
semantics for ssh key options, I don't remember this ever having been made
clear in the documentation.

Actually, what https://db.debian.org/doc-mail.html currently says is:

  Part of the replicated dataset is a virtual .ssh/authorized_keys file for
  each user. The change address is the simplest way to set the RSA key(s)
  you intend to use. Simply place a key on a line by itself, the full SSH
  key format specification is supported, see sshd(8).

Perhaps this could be clarified as:

  Part of the replicated dataset is a virtual .ssh/authorized_keys file for
  each user. The change address is the simplest way to set the RSA key(s)
  you intend to use. The full authorized_keys file format is supported; see
  sshd(8) for details.

?

(and as long as someone's editing, s/enterity/entirety/ a couple of lines
down :)

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Reply to:

References:
- Re: Misc development news (#8)
  - From: Steve Langasek <vorlon@debian.org>
- Re: Misc development news (#8)
  - From: Peter Palfrader <weasel@debian.org>
- Re: Misc development news (#8)
  - From: Philip Hands <phil@hands.com>
- Re: Misc development news (#8)
  - From: Steve Langasek <vorlon@debian.org>
- Re: Misc development news (#8)
  - From: Joerg Jaspert <joerg@debian.org>
- Re: Misc development news (#8)
  - From: Philip Hands <phil@hands.com>

Prev by Date: Updated Debian Maintainers Keyring
Next by Date: Processed: Re: Bug#292481: new parameter in deb packages
Previous by thread: Re: Misc development news (#8)
Next by thread: Re: Misc development news (#8)
Index(es):
- Date
- Thread