1 |
> > > > > It's probably better to use distcc over ssh, using an ssh-agent |
2 |
> > > > > and PKI authentication. |
3 |
> > > > How would ssh and PKI be set up in |
4 |
> > > > the workflow? It isn't mentioned here: |
5 |
> > > > http://www.gentoo.org/doc/en/distcc.xml |
6 |
> > > |
7 |
> > > 1) On the server, set up the shell account that will use distcc via |
8 |
> > > ssh. |
9 |
> > > 2) On the client, generate the private key for that account and |
10 |
> > > use ssh-copy-id to give the server the public key. |
11 |
> > > 3) On the server, if possible, disable password logins to force the |
12 |
> > > use of the private key for that user. |
13 |
> > > 4) On the client, add a line like shell_account@server to your |
14 |
> > > distcc_hosts. |
15 |
> > > 5) Prior to invoking distcc on the client, start |
16 |
> > > an ssh-agent (I prefer the keychain "meta-"agent.) and optionally add |
17 |
> > > your private key to the agent. (If you don't start an agent, each |
18 |
> > > compile that goes to an ssh host will ask for a password -- very |
19 |
> > > troublesome with parallel make; If you don't add your private key to |
20 |
> > > the agent, you'll get prompted for the passphrase the first time you |
21 |
> > > need a key -- still moderately troublesome.) |
22 |
> > > |
23 |
> > > There is no need to run distccd on the server at all. You /will/ need |
24 |
> > > sshd. |
25 |
> > |
26 |
> > It sounds like this would make the remote |
27 |
> > distcc idea as secure as ssh and I won't have to worry about the fact |
28 |
> > that distcc wasn't built with security in mind. Is that right? |
29 |
> |
30 |
> Yes. Since you aren't running the distccd server it's lack of security is |
31 |
> not concern for you. You'll be depending on the security of ssh. While |
32 |
> not completely spotless (e.g. the zlib vulnerability bit openssh) it was, |
33 |
> at least, designed with security in mind. |
34 |
|
35 |
Nice. |
36 |
|
37 |
> > Also, |
38 |
> > I'm the only user on all of my systems so it would be OK to use plain |
39 |
> > ssh without PKI right? |
40 |
> |
41 |
> Unfortunately, no. Not because it's less secure (though, it might be |
42 |
> depending on the strength of your passwords vs passphrases), but because |
43 |
> there's no such thing (AFAIK) as an ssh-password-agent. This means that |
44 |
> each compile job has to ask you for the password -- that's not gonna be |
45 |
> real useful, most likely. See the parenthetical notes at the end of step |
46 |
> 5. |
47 |
|
48 |
So you're saying if I don't use PKI, the remote system is going to |
49 |
prompt me for a password after I'm already logged in? You say "each |
50 |
compile that goes to an ssh host will ask for a password". At what |
51 |
point in the emerge process does this happen? |
52 |
|
53 |
- Grant |
54 |
|
55 |
-- |
56 |
gentoo-user@g.o mailing list |