On 9 January 2013 18:37, Ken Causey ken@kencausey.com wrote:
On 01/09/2013 09:37 AM, Chris Cunnington wrote:
I figure I should just get out of the way of this conversation and let you talk to Ken.
Chris
I was quite confused. This conversation began with a reference to squeakci.org to which I clearly did not have any access. But then I checked and it turns out that squeakci.org is actually pointing to box3 which I had not realized.
Frankly I really don't like the idea of the community servers being used to host services under domains which the box-admins team does not have full access to modify. I know from experience that the services we as a community have to maintain often survive beyond the interest of the creator of said service. But I know you spent some money to get that domain name and it has a rather specific purpose. I would appreciate it though if you would suggest an alternative squeak.org hostname, perhaps ci.squeak.org or jenkins.squeak.org which can be used as an alternative (alongside squeakci.org) and perhaps even the primary access method by users.
Back to the issue at hand (sorry for the aside Frank):
Can you be more specific about where the private key files need to go on the server? That will help determine who needs to do it, at least for the future, even if I to do it now.
Hi Ken,
I'm not particularly fussed. Maybe let's have a /home/teamjenkins/node-keys/ and put them there?
frank
Ken
On Wed, Jan 9, 2013 at 8:43 AM, Frank Shearar <frank.shearar@gmail.com mailto:frank.shearar@gmail.com> wrote:
On 9 January 2013 13:28, Chris Cunnington <smalltalktelevision@gmail.com <mailto:smalltalktelevision@gmail.com>> wrote: > On 2013-01-09 8:22 AM, Frank Shearar wrote: >> >> On 9 January 2013 13:16, Chris Cunnington <smalltalktelevision@gmail.com <mailto:smalltalktelevision@gmail.com>> >> wrote: >>> >>> On 2013-01-09 5:09 AM, Frank Shearar wrote: >>>> >>>> Hi, >>>> >>>> I need to somehow get private keys for the angband and norst
nodes >>>> securely onto squeakci.org http://squeakci.org. My
preference is to use scp, but that >>>> requires shell access. I don't think that, in general, we want shell >>>> access for teamjenkins. Ideas on how to proceed? >>>> >>>> (I want to set up the two nodes to have Jenkins ssh to them, because >>>> that might be easier than hacking on slaves authenticating to
the >>>> server.) >>>> >>>> frank >>> >>> Well, I guess you need to send the keys to a person with shell access. >>> Ken >>> is likely the best person for that, as he manages keys all the time. >>> >>> Chris >> >> Yes, but that just changes the problem to "how can I pass the keys to >> Ken in a secure manner?" >> >> Apparently giving a user the shell "rssh" lets a user do things like >> move files, rsync and such, but not have generic unfettered shell >> access. >> >> frank > > There is something here I don't understand. A public key I've seen Colin > post on a message board to be copied. Or you could zip them and send them to > Ken? > So, I'm not sure what's required here. Is the key a thing you can send to > somebody else? If so, then you could send it to Ken?
SSH uses a public/private keypair. The PUBLIC key goes into the ~/.ssh/authorized_keys of the account TO WHICH you want to connect. In this case, that's the jenkins user on the build slave. The PRIVATE key is used by the machine FROM WHICH you want to connect. Possession of the private key grants permission to log into my build slave, in other words. What I need is a means of securely putting the private key into a known location on squeakci.org <http://squeakci.org>. Then I can configure the node to use it when ssh'ing into my build slave (which doesn't permit password authentication). frank > Chris