[Box-Admins] Private keys
Frank Shearar
frank.shearar at gmail.com
Wed Jan 9 18:48:25 UTC 2013
On 9 January 2013 18:37, Ken Causey <ken at kencausey.com> wrote:
> On 01/09/2013 09:37 AM, Chris Cunnington wrote:
>>
>> I figure I should just get out of the way of this conversation and let
>> you talk to Ken.
>>
>> Chris
>
>
> I was quite confused. This conversation began with a reference to
> squeakci.org to which I clearly did not have any access. But then I checked
> and it turns out that squeakci.org is actually pointing to box3 which I had
> not realized.
>
> Frankly I really don't like the idea of the community servers being used to
> host services under domains which the box-admins team does not have full
> access to modify. I know from experience that the services we as a
> community have to maintain often survive beyond the interest of the creator
> of said service. But I know you spent some money to get that domain name
> and it has a rather specific purpose. I would appreciate it though if you
> would suggest an alternative squeak.org hostname, perhaps ci.squeak.org or
> jenkins.squeak.org which can be used as an alternative (alongside
> squeakci.org) and perhaps even the primary access method by users.
>
> Back to the issue at hand (sorry for the aside Frank):
>
> Can you be more specific about where the private key files need to go on the
> server? That will help determine who needs to do it, at least for the
> future, even if I to do it now.
Hi Ken,
I'm not particularly fussed. Maybe let's have a
/home/teamjenkins/node-keys/ and put them there?
frank
> Ken
>
>>
>> On Wed, Jan 9, 2013 at 8:43 AM, Frank Shearar <frank.shearar at gmail.com
>> <mailto:frank.shearar at gmail.com>> wrote:
>>
>> On 9 January 2013 13:28, Chris Cunnington
>> <smalltalktelevision at gmail.com
>> <mailto:smalltalktelevision at gmail.com>> wrote:
>> > On 2013-01-09 8:22 AM, Frank Shearar wrote:
>> >>
>> >> On 9 January 2013 13:16, Chris Cunnington
>> <smalltalktelevision at gmail.com <mailto:smalltalktelevision at gmail.com>>
>>
>> >> wrote:
>> >>>
>> >>> On 2013-01-09 5:09 AM, Frank Shearar wrote:
>> >>>>
>> >>>> Hi,
>> >>>>
>> >>>> I need to somehow get private keys for the angband and norst
>> nodes
>> >>>> securely onto squeakci.org <http://squeakci.org>. My
>>
>> preference is to use scp, but that
>> >>>> requires shell access. I don't think that, in general, we want
>> shell
>> >>>> access for teamjenkins. Ideas on how to proceed?
>> >>>>
>> >>>> (I want to set up the two nodes to have Jenkins ssh to them,
>> because
>> >>>> that might be easier than hacking on slaves authenticating to
>> the
>> >>>> server.)
>> >>>>
>> >>>> frank
>> >>>
>> >>> Well, I guess you need to send the keys to a person with shell
>> access.
>> >>> Ken
>> >>> is likely the best person for that, as he manages keys all the
>> time.
>> >>>
>> >>> Chris
>> >>
>> >> Yes, but that just changes the problem to "how can I pass the
>> keys to
>> >> Ken in a secure manner?"
>> >>
>> >> Apparently giving a user the shell "rssh" lets a user do things
>> like
>> >> move files, rsync and such, but not have generic unfettered shell
>> >> access.
>> >>
>> >> frank
>> >
>> > There is something here I don't understand. A public key I've
>> seen Colin
>> > post on a message board to be copied. Or you could zip them and
>> send them to
>> > Ken?
>> > So, I'm not sure what's required here. Is the key a thing you can
>> send to
>> > somebody else? If so, then you could send it to Ken?
>>
>> SSH uses a public/private keypair. The PUBLIC key goes into the
>> ~/.ssh/authorized_keys of the account TO WHICH you want to connect. In
>> this case, that's the jenkins user on the build slave. The PRIVATE key
>> is used by the machine FROM WHICH you want to connect.
>>
>> Possession of the private key grants permission to log into my build
>> slave, in other words.
>>
>> What I need is a means of securely putting the private key into a
>> known location on squeakci.org <http://squeakci.org>. Then I can
>>
>> configure the node to use
>> it when ssh'ing into my build slave (which doesn't permit password
>> authentication).
>>
>> frank
>>
>> > Chris
>>
>>
>
More information about the Box-Admins
mailing list