[Savannah-cvs] [118] UserAuthentication: add 'fencepost' and 'mgt' secti

savannah-cvs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-cvs] [118] UserAuthentication: add 'fencepost' and 'mgt' secti

From:	Assaf Gordon
Subject:	[Savannah-cvs] [118] UserAuthentication: add 'fencepost' and 'mgt' sections
Date:	Thu, 27 Nov 2014 23:32:55 +0000

Revision: 118
          
http://svn.sv.gnu.org/viewvc/?view=rev&root=administration&revision=118
Author:   agn
Date:     2014-11-27 23:32:41 +0000 (Thu, 27 Nov 2014)
Log Message:
-----------
UserAuthentication: add 'fencepost' and 'mgt' sections

Modified Paths:
--------------
    trunk/sviki/UserAuthentication.mdwn

Modified: trunk/sviki/UserAuthentication.mdwn
===================================================================
--- trunk/sviki/UserAuthentication.mdwn 2014-11-21 23:52:50 UTC (rev 117)
+++ trunk/sviki/UserAuthentication.mdwn 2014-11-27 23:32:41 UTC (rev 118)
@@ -156,8 +156,47 @@
     ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvs [...]
     ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ [...]
 
+### mgt and root access
 
-### TODO
+`mgt.sv.gnu.org` is the management server (see [[SavannahArchitecture]] for
+more details).
 
-* Explain SSH on fencepost
-* Explain SSH on mgt:/root/.ssh/vm_authorized_keys
+root access to `mgt` (and from there to `dl`/`vcs`/`dl`/`fe` servers) is
+controlled by `mgt:/root/.ssh/authorized_keys`. This file is updated
+**manually** by existing GNU Savannah administrators, adding SSH public keys
+of authorized savannah hackers.
+
+ssh access to address@hidden,vcs,dl,int,fe}` is only possible from `fencepost`.
+(TODO: and few other FSF/GNU servers/VPN?)
+
+A script `mgt:/root/bin/push-root-authkeys` copies the file
+`mgt:/root/.ssh/authorized_keys` to `mgt:/root/.ssh/vm_authorized_keys`,
+and also to `{dl,fe,vcs,int}:/etc/ssh/authorized_keys/root`.
+(TODO: is the script `mgt:/root/maintenance/authorized_keys_replicate.sh`
+mentioned in [[SavannahArchitecture]] still in use?).
+
+The files `{dl,fe,vcs,int}:/etc/ssh/sshd_config` contain the following
+statement:
+
+    AuthorizedKeysFile      /etc/ssh/authorized_keys/%u
+
+Which enables root login based on the propagated `authorized_keys` file.
+
+### fencepost
+
+`fencepost.gnu.org` is general-purpose server for GNU hackers (for more
+information: <https://www.gnu.org/software/README.accounts.html>).
+
+It is not directly managed by GNU Savannah.
+
+Users on `fencepost.gnu.org` use the same username as GNU Savannah accounts,
+and public SSH keys are copied (manually) from GNU Savannah database (i.e.
+users requesting access to `fencepost` must already setup accounts on GNU
+Savannah with SSH public keys). Other than that - user management on
+`fencepost` is separate from the rest of GNU Savannah servers.
+
+Each user on `fencepost` has a home directory with `~/.ssh/authorized_keys`
+files, enabling ssh access:
+
+    $ getent passwd agn
+    agn:x:1557:1562:Assaf Gordon,,,:/home/a/agn:/bin/bash

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-cvs] [118] UserAuthentication: add 'fencepost' and 'mgt' sections, Assaf Gordon <=

Prev by Date: [Savannah-cvs] [117] small edits, typos, downcasing
Next by Date: [Savannah-cvs] [119] SavannahServices: add 'lists.gnu.org' section
Previous by thread: [Savannah-cvs] [117] small edits, typos, downcasing
Next by thread: [Savannah-cvs] [119] SavannahServices: add 'lists.gnu.org' section
Index(es):
- Date
- Thread