From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.54)
	id 1FNwSD-0000YJ-QA
	for garchives@archives.gentoo.org; Mon, 27 Mar 2006 18:28:38 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.6/8.13.5) with SMTP id k2RIRCxQ007410;
	Mon, 27 Mar 2006 18:27:12 GMT
Received: from nproxy.gmail.com (nproxy.gmail.com [64.233.182.189])
	by robin.gentoo.org (8.13.6/8.13.5) with ESMTP id k2RIGjVB023320
	for <gentoo-user@lists.gentoo.org>; Mon, 27 Mar 2006 18:16:46 GMT
Received: by nproxy.gmail.com with SMTP id o63so886338nfa
        for <gentoo-user@lists.gentoo.org>; Mon, 27 Mar 2006 10:16:45 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=FSd+0P+Aqf0K0oPJ4K0bsVD6TTsJXPR687OBiShC1IAFOTv/CFHAcmQ7cZPjqvnxsYNWKJaoIvCOnDejYn9edb1ghzkXAppEGC6gPmOBKY8X3Ucf/jkhcGolgCaQKztDTIt4l7mM0qX2Iy6zKMtvei20iex3eHSrHjaXMKLYog8=
Received: by 10.48.205.19 with SMTP id c19mr1776051nfg;
        Mon, 27 Mar 2006 10:16:45 -0800 (PST)
Received: by 10.48.205.6 with HTTP; Mon, 27 Mar 2006 10:16:45 -0800 (PST)
Message-ID: <49bf44f10603271016q502b6088q3fb8787f17f2a997@mail.gmail.com>
Date: Mon, 27 Mar 2006 10:16:45 -0800
From: Grant <emailgrant@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Hosted server as distcc machine
In-Reply-To: <200603242303.38223.bss03@volumehost.net>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Disposition: inline
References: <49bf44f10603202025n77d277ccv7e5b82d05d10a482@mail.gmail.com>
	 <200603231655.39179.bss03@volumehost.net>
	 <49bf44f10603241125v51c63dbobb4b25058cdf7a52@mail.gmail.com>
	 <200603242303.38223.bss03@volumehost.net>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by robin.gentoo.org id k2RIGjVB023320
X-Archives-Salt: 31b3bcde-26fd-4107-9441-6513e0ba7283
X-Archives-Hash: 47739919817b1e97ac039aa84b8f424f

> > > > > It's probably better to use distcc over ssh, using an ssh-agent
> > > > > and PKI authentication.
> > > > How would ssh and PKI be set up in
> > > > the workflow?  It isn't mentioned here:
> > > > http://www.gentoo.org/doc/en/distcc.xml
> > >
> > > 1) On the server, set up the shell account that will use distcc via
> > > ssh.
> > > 2) On the client, generate the private key for that account and
> > > use ssh-copy-id to give the server the public key.
> > > 3) On the server, if possible, disable password logins to force the
> > > use of the private key for that user.
> > > 4) On the client, add a line like shell_account@server to your
> > > distcc_hosts.
> > > 5) Prior to invoking distcc on the client, start
> > > an ssh-agent (I prefer the keychain "meta-"agent.) and optionally add
> > > your private key to the agent. (If you don't start an agent, each
> > > compile that goes to an ssh host will ask for a password -- very
> > > troublesome with parallel make; If you don't add your private key to
> > > the agent, you'll get prompted for the passphrase the first time you
> > > need a key -- still moderately troublesome.)
> > >
> > > There is no need to run distccd on the server at all.  You /will/ need
> > > sshd.
> >
> > It sounds like this would make the remote
> > distcc idea as secure as ssh and I won't have to worry about the fact
> > that distcc wasn't built with security in mind.  Is that right?
>
> Yes.  Since you aren't running the distccd server it's lack of security is
> not concern for you.  You'll be depending on the security of ssh.  While
> not completely spotless (e.g. the zlib vulnerability bit openssh) it was,
> at least, designed with security in mind.

Nice.

> > Also,
> > I'm the only user on all of my systems so it would be OK to use plain
> > ssh without PKI right?
>
> Unfortunately, no.  Not because it's less secure (though, it might be
> depending on the strength of your passwords vs passphrases), but because
> there's no such thing (AFAIK) as an ssh-password-agent.  This means that
> each compile job has to ask you for the password -- that's not gonna be
> real useful, most likely.  See the parenthetical notes at the end of step
> 5.

So you're saying if I don't use PKI, the remote system is going to
prompt me for a password after I'm already logged in?  You say "each
compile that goes to an ssh host will ask for a password".  At what
point in the emerge process does this happen?

- Grant

-- 
gentoo-user@gentoo.org mailing list