| 1 |
> > > > > It's probably better to use distcc over ssh, using an ssh-agent |
| 2 |
> > > > > and PKI authentication. |
| 3 |
> > > > How would ssh and PKI be set up in |
| 4 |
> > > > the workflow? It isn't mentioned here: |
| 5 |
> > > > http://www.gentoo.org/doc/en/distcc.xml |
| 6 |
> > > |
| 7 |
> > > 1) On the server, set up the shell account that will use distcc via |
| 8 |
> > > ssh. |
| 9 |
> > > 2) On the client, generate the private key for that account and |
| 10 |
> > > use ssh-copy-id to give the server the public key. |
| 11 |
> > > 3) On the server, if possible, disable password logins to force the |
| 12 |
> > > use of the private key for that user. |
| 13 |
> > > 4) On the client, add a line like shell_account@server to your |
| 14 |
> > > distcc_hosts. |
| 15 |
> > > 5) Prior to invoking distcc on the client, start |
| 16 |
> > > an ssh-agent (I prefer the keychain "meta-"agent.) and optionally add |
| 17 |
> > > your private key to the agent. (If you don't start an agent, each |
| 18 |
> > > compile that goes to an ssh host will ask for a password -- very |
| 19 |
> > > troublesome with parallel make; If you don't add your private key to |
| 20 |
> > > the agent, you'll get prompted for the passphrase the first time you |
| 21 |
> > > need a key -- still moderately troublesome.) |
| 22 |
> > > |
| 23 |
> > > There is no need to run distccd on the server at all. You /will/ need |
| 24 |
> > > sshd. |
| 25 |
> > |
| 26 |
> > It sounds like this would make the remote |
| 27 |
> > distcc idea as secure as ssh and I won't have to worry about the fact |
| 28 |
> > that distcc wasn't built with security in mind. Is that right? |
| 29 |
> |
| 30 |
> Yes. Since you aren't running the distccd server it's lack of security is |
| 31 |
> not concern for you. You'll be depending on the security of ssh. While |
| 32 |
> not completely spotless (e.g. the zlib vulnerability bit openssh) it was, |
| 33 |
> at least, designed with security in mind. |
| 34 |
|
| 35 |
Nice. |
| 36 |
|
| 37 |
> > Also, |
| 38 |
> > I'm the only user on all of my systems so it would be OK to use plain |
| 39 |
> > ssh without PKI right? |
| 40 |
> |
| 41 |
> Unfortunately, no. Not because it's less secure (though, it might be |
| 42 |
> depending on the strength of your passwords vs passphrases), but because |
| 43 |
> there's no such thing (AFAIK) as an ssh-password-agent. This means that |
| 44 |
> each compile job has to ask you for the password -- that's not gonna be |
| 45 |
> real useful, most likely. See the parenthetical notes at the end of step |
| 46 |
> 5. |
| 47 |
|
| 48 |
So you're saying if I don't use PKI, the remote system is going to |
| 49 |
prompt me for a password after I'm already logged in? You say "each |
| 50 |
compile that goes to an ssh host will ask for a password". At what |
| 51 |
point in the emerge process does this happen? |
| 52 |
|
| 53 |
- Grant |
| 54 |
|
| 55 |
-- |
| 56 |
gentoo-user@g.o mailing list |
Archives