[Gluster-users] tar_ssh.pem?
James Le Cuirot
chewi at aura-online.co.uk
Tue May 6 12:31:00 UTC 2014
On Wed, 30 Apr 2014 20:25:03 +0100
James Le Cuirot <chewi at aura-online.co.uk> wrote:
> > > On April 28, 2014 6:03:16 AM PDT, Venky Shankar
> > > <vshankar at redhat.com> wrote:
>
> > >> On 04/27/2014 11:55 PM, James Le Cuirot wrote:
> > >>> I'm new to Gluster but have successfully tried geo-rep with
> > >>> 3.5.0. I've read about the new tar+ssh feature and it sounds
> > >>> good but nothing has been said about the tar_ssh.pem file that
> > >>> gsyncd.conf references. Why is a separate key needed? Does it
> > >>> not use gsyncd on the other end? If not, what command should I
> > >>> lock it down to in authorized_keys, bug #1091079
> > >>> notwithstanding?
>
> > >> geo-replication "create push-pem" command should add the keys on
> > >> the slave for tar+ssh to work. That is done as part of geo-rep
> > >> setup.
>
> I had seen the new "create push-pem" option and gave it a try today. I
> see that it does indeed create a different key with a different
> command in the authorized_keys file.
>
> One question remains though and this stems back to bug #1091079.
> push-pem expects you to have setup passwordless SSH access already so
> what is the point of adding further lines to authorized_keys when
> general access is already allowed? Surely this is bad for security?
> Wouldn't it be better for push-pem to prompt for a password so that
> only the required access is added?
Sorry for this but could I please get an answer on the above? Security
is a very big deal for us as it should be for everyone here. I gather
the mountbroker can be used to do this replication as non-root which
helps but general SSH access for this user is something I would still
like to avoid if it is really not necessary.
Regards,
James
More information about the Gluster-users
mailing list