[Gluster-users] tar_ssh.pem?

Venky Shankar yknev.shankar at gmail.com
Tue May 6 13:50:25 UTC 2014


I had seen the new "create push-pem" option and gave it a try today. I
> see that it does indeed create a different key with a different command
> in the authorized_keys file.
>
> One question remains though and this stems back to bug #
> ​​
> ​​
> 1091079.
> push-pem expects you to have setup passwordless SSH access already so
> what is the point of adding further lines to authorized_keys when
> general access is already allowed? Surely this is bad for security?
> Wouldn't it be better for push-pem to prompt for a password so that
> only the required access is added?
>

push-pem expects password less SSH​ b/w the node where the CLI is executed
and a slave node (the slave endpoint used session creation). It then adds
master's SSH keys to *authorized_keys* on all slave nodes (prepended with
command=... for restricting access to gsyncd). As you said, prompting for
password is definitely better and should be thought of.

Non-root geo-replication does not work as of now (upstream/3.5). I'm in the
process of getting in to work (patch http://review.gluster.org/#/c/7658/ in
gerrit). Even with this you'd need password less SSH to one of the nodes on
the slave (to an unprivileged user in this case). Your argument of
prompting for password still holds true here.

I see the document link you mentioned in BZ #1091079 (comment #2) still
points to old style geo-replication (we'd need to correct that). Are you
following that in any case? Comment #1 points to the correct URL.

Thanks,
-venky
IRC: overclk on #freenode
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://supercolony.gluster.org/pipermail/gluster-users/attachments/20140506/fd4727f0/attachment.html>


More information about the Gluster-users mailing list