[Box-Admins] Private keys
Ken Causey
ken at kencausey.com
Wed Jan 9 18:37:22 UTC 2013
On 01/09/2013 09:37 AM, Chris Cunnington wrote:
> I figure I should just get out of the way of this conversation and let
> you talk to Ken.
>
> Chris
I was quite confused. This conversation began with a reference to
squeakci.org to which I clearly did not have any access. But then I
checked and it turns out that squeakci.org is actually pointing to box3
which I had not realized.
Frankly I really don't like the idea of the community servers being used
to host services under domains which the box-admins team does not have
full access to modify. I know from experience that the services we as a
community have to maintain often survive beyond the interest of the
creator of said service. But I know you spent some money to get that
domain name and it has a rather specific purpose. I would appreciate it
though if you would suggest an alternative squeak.org hostname, perhaps
ci.squeak.org or jenkins.squeak.org which can be used as an alternative
(alongside squeakci.org) and perhaps even the primary access method by
users.
Back to the issue at hand (sorry for the aside Frank):
Can you be more specific about where the private key files need to go on
the server? That will help determine who needs to do it, at least for
the future, even if I to do it now.
Ken
>
> On Wed, Jan 9, 2013 at 8:43 AM, Frank Shearar <frank.shearar at gmail.com
> <mailto:frank.shearar at gmail.com>> wrote:
>
> On 9 January 2013 13:28, Chris Cunnington
> <smalltalktelevision at gmail.com
> <mailto:smalltalktelevision at gmail.com>> wrote:
> > On 2013-01-09 8:22 AM, Frank Shearar wrote:
> >>
> >> On 9 January 2013 13:16, Chris Cunnington
> <smalltalktelevision at gmail.com <mailto:smalltalktelevision at gmail.com>>
> >> wrote:
> >>>
> >>> On 2013-01-09 5:09 AM, Frank Shearar wrote:
> >>>>
> >>>> Hi,
> >>>>
> >>>> I need to somehow get private keys for the angband and norst nodes
> >>>> securely onto squeakci.org <http://squeakci.org>. My
> preference is to use scp, but that
> >>>> requires shell access. I don't think that, in general, we want
> shell
> >>>> access for teamjenkins. Ideas on how to proceed?
> >>>>
> >>>> (I want to set up the two nodes to have Jenkins ssh to them,
> because
> >>>> that might be easier than hacking on slaves authenticating to the
> >>>> server.)
> >>>>
> >>>> frank
> >>>
> >>> Well, I guess you need to send the keys to a person with shell
> access.
> >>> Ken
> >>> is likely the best person for that, as he manages keys all the
> time.
> >>>
> >>> Chris
> >>
> >> Yes, but that just changes the problem to "how can I pass the
> keys to
> >> Ken in a secure manner?"
> >>
> >> Apparently giving a user the shell "rssh" lets a user do things like
> >> move files, rsync and such, but not have generic unfettered shell
> >> access.
> >>
> >> frank
> >
> > There is something here I don't understand. A public key I've
> seen Colin
> > post on a message board to be copied. Or you could zip them and
> send them to
> > Ken?
> > So, I'm not sure what's required here. Is the key a thing you can
> send to
> > somebody else? If so, then you could send it to Ken?
>
> SSH uses a public/private keypair. The PUBLIC key goes into the
> ~/.ssh/authorized_keys of the account TO WHICH you want to connect. In
> this case, that's the jenkins user on the build slave. The PRIVATE key
> is used by the machine FROM WHICH you want to connect.
>
> Possession of the private key grants permission to log into my build
> slave, in other words.
>
> What I need is a means of securely putting the private key into a
> known location on squeakci.org <http://squeakci.org>. Then I can
> configure the node to use
> it when ssh'ing into my build slave (which doesn't permit password
> authentication).
>
> frank
>
> > Chris
>
>
More information about the Box-Admins
mailing list