[Piuparts-commits] [piuparts] 01/02: piuparts-slave.postinst: don't add the slave's ssh pub key to the master's authorized keys.

Holger Levsen holger at moszumanska.debian.org
Thu May 22 19:13:41 UTC 2014 

This is an automated email from the git hooks/post-receive script.

holger pushed a commit to branch develop
in repository piuparts.

commit 6bf9f8d6ece250c98448a4760ae2309f5ead10b6
Author: Holger Levsen <holger at layer-acht.org>
Date:   Thu May 22 18:05:59 2014 +0200

    piuparts-slave.postinst: don't add the slave's ssh pub key to the master's authorized keys.
---
 README_server.txt              | 14 +++++++-------
 TODO                           |  2 --
 debian/changelog               |  5 +++++
 debian/piuparts-slave.postinst |  8 --------
 4 files changed, 12 insertions(+), 17 deletions(-)

diff --git a/README_server.txt b/README_server.txt
index f693fb9..d6bb775 100644
--- a/README_server.txt
+++ b/README_server.txt
@@ -2,11 +2,11 @@ piuparts README_server
 ----------------------
 
 Author: Lars Wirzenius, Holger Levsen and Andreas Beckmann
-Email: <liw at iki.fi>
+Email: <debian-qa at lists.debian.org>
 
 == piuparts in master/slave mode
 
-As part of the quality assurance effort of Debian, piuparts is
+As part of the quality assurance efforts of Debian, piuparts is
 run on the Debian package archive. This requires a lot of
 processing power, and so the work can be distributed over several
 hosts.
@@ -24,6 +24,7 @@ To set this up for yourself, the following steps should suffice:
 . Install the package piuparts-master on it.
 . Create an account for the master (the package creates piupartsm).
 . Configure '/etc/piuparts/piuparts.conf' appropriately.
+
 . Pick one or more slaves to run the slave. You can use the machine
  running the master also as a slave. Etch is fine, it can even be
  in a chroot.
@@ -322,11 +323,11 @@ section, too, and will serve as defaults for all other sections
 (overriding the builtin defaults).
 
 * "master-command" is the command to run on master-host to start
- the master. When the master has been installed from the Debian
- package, the command is '/usr/share/piuparts/piuparts-master'.
- This does not need to be set here if it is already set in
+ the master. Better then setting it here is actually setting it in
  '~piupartsm/.ssh/authorized_keys' to limit ssh access to that
- single command.
+ single command.  The key should be restricted to only allow running
+ 'piuparts-master' by prefixing it with
+ 'command="/usr/share/piuparts/piuparts-master",no-pty,no-port-forwarding'.
 
 * "idle-sleep" is the length of time the slave should wait before
  querying the master again if the master didn't have any new
@@ -539,7 +540,6 @@ If you want to run piuparts-report (which is only+very useful if
 you run piuparts in master-slave mode), you need to 'apt-get
 install python-rpy r-recommended r-base-dev'. For more
 information see
-link:http://anonscm.debian.org/gitweb/?p=piuparts/piuparts.git;hb=master;a=blob;f=README_server.txt[http://anonscm.debian.org/gitweb/?p=piuparts/piuparts.git;hb=master;a=blob;f=README_server.txt] and
 link:http://anonscm.debian.org/gitweb/?p=piuparts/piuparts.git;hb=master;a=blob;f=README_pejacevic.txt[http://anonscm.debian.org/gitweb/?p=piuparts/piuparts.git;hb=master;a=blob;f=README_pejacevic.txt].
 
 // vim: set filetype=asciidoc:
diff --git a/TODO b/TODO
index e5ed406..1b1a061 100644
--- a/TODO
+++ b/TODO
@@ -10,8 +10,6 @@ for 0.5x:
 - Documentation related:
   - check that making piuparts-master + piuparts-slave packages work is
     documented properly.
-  - confirm how+where to deploy '~piupartsm/.ssh/authorized_keys' is
-    documented properly.
   - examples are duplicated in piuparts.1.txt and README.txt - only keep one
     copy.
   - cleanup README_pejacevic.txt from info not related to pejacevic (eg. how
diff --git a/debian/changelog b/debian/changelog
index 702d4f0..505842c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -23,6 +23,11 @@ piuparts (0.59) UNRELEASED; urgency=low
       too.
     - install piuparts.conf.sample in /usr/share/doc/piuparts-master/examples/
     - install slave_run and slave_join in /usr/bin/ (Closes: #746718)
+    - piuparts-slave.postinst: do not attempt to add the slave user's ssh
+      public key to the master user's authorized key. The slave package should
+      maybe recommend the master package, but definitly not pre-depend on it,
+      which would be a requirement to make this work. So document this
+      instead.
   * Updates various pieces of documentation.
 
  -- Holger Levsen <holger at debian.org>  Thu, 01 May 2014 00:42:23 +0200
diff --git a/debian/piuparts-slave.postinst b/debian/piuparts-slave.postinst
index ba09c70..7532da1 100644
--- a/debian/piuparts-slave.postinst
+++ b/debian/piuparts-slave.postinst
@@ -2,7 +2,6 @@
 set -e
 
 pgroup=piuparts
-muser=piupartsm
 suser=piupartss
 scriptroot=/usr/share/piuparts
 userhome=/var/lib/piuparts
@@ -54,13 +53,6 @@ if [ "$1" = "configure" ] ; then
         chown $suser:$pgroup $userhome/$suser/.ssh/known_hosts
     fi
 
-    if [ -d $userhome/$muser/.ssh ] && [ ! -e $userhome/$muser/.ssh/authorized_keys ] ; then
-        sed 's#^#command="'"$scriptroot"'/piuparts-master",no-pty,no-port-forwarding #' \
-		$userhome/$suser/.ssh/id_rsa.pub >>$userhome/$muser/.ssh/authorized_keys
-        chown $muser:$pgroup $userhome/$muser/.ssh/authorized_keys
-        chmod 0600 $userhome/$muser/.ssh/authorized_keys
-    fi
-
     install -d -o $suser -g $pgroup -m 0755 $userhome/slave
     install -d -o $suser -g $pgroup -m 0755 $userhome/slave/0
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/piuparts/piuparts.git

More information about the Piuparts-commits mailing list