Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
local mirror and binhost via ssh
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
jonathan183
Apprentice
Apprentice


Joined: 13 Dec 2011
Posts: 248

PostPosted: Mon Jun 19, 2017 2:22 pm    Post subject: local mirror and binhost via ssh Reply with quote

I want to setup a PC in order to serve portage snapshots locally and serve binary packages.
I would like to do this via ssh rather than a webserver.
Looking at the wiki for binary packages SSH_binary_package_host this seems to have the relevant information I need.
Looking at the local mirror information Local_Mirror this appears to use rsync.

I have been able to setup a binhost to serve packages over ssh.
If I enable root on the binhost I can use keys to login. On the binhost /etc/ssh/sshd_config I have
Code:
Protocol 2
Port 18022
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin prohibit-password


I have cat my clients root public key onto the binhost /root/.ssh/authorized_keys

In the clients /etc/portage/make.conf I have
Code:
PORTAGE_RSYNC_EXTRA_OPTS="--progress -e \"ssh -p 18022 -l root -i /root/.ssh/id_rsa \""
PORTAGE_BINHOST="ssh://root@192.168.1.2:18022/usr/portage/packages"


I setup the client ssh key using ssh-keygen and set a password. The arrangement works but I am prompted for the password both when I run
Code:
emerge --sync
on the client, and when I run
Code:
emerge -avuDNfgk @world
before each binary package is downloaded from the binhost to the client.

I could generate a new key for the client without a password, but root access without a password does not sound like a great way to go.
Is there a better way of doing this which still uses ssh for --sync ?
Following the wiki information allows binary packages with a binpkguser via ssh but does not use ssh for the emerge --sync
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 5614
Location: Saint Amant, Acadiana

PostPosted: Mon Jun 19, 2017 2:30 pm    Post subject: Reply with quote

I haven't checked, but shouldn't all this be owned by portage:portage? Why root?
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
Frautoincnam
n00b
n00b


Joined: 19 May 2017
Posts: 25

PostPosted: Mon Jun 19, 2017 11:12 pm    Post subject: Re: local mirror and binhost via ssh Reply with quote

jonathan183 wrote:
I would like to do this via ssh rather than a webserver.

That's not your question but you can use rsync too :
Code:
PORTAGE_BINHOST="rsync://your.binhost.server/gentoo-distbin"
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1350

PostPosted: Tue Jun 20, 2017 12:19 am    Post subject: Reply with quote

Quote:
I could generate a new key for the client without a password, but root access without a password does not sound like a great way to go.
Yes, it does. The whole point of using keys is to replace passwords.
You can protect your keys by encrypting them on different layer, like in encrypting your /home for example.
Or, you could try using SSH agent. I never tried doing exactly this, but I expect it to work: start ssh-agent on your client, then ssh-add ./your/encrypted/key
It should prompt you for key's password, decrypt the key, store it in agent, and keep using it until you remove it (usually by killing the agent when you log out)
Note: ssh-agent will print necessary environmental variables to std-out. You have to set them and export them in your session, or run your command from ssh-agent itself to let it set the variables for you.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 10707

PostPosted: Tue Jun 20, 2017 1:31 am    Post subject: Reply with quote

You can and, for faceless keys should, configure the sshd to restrict the commands that can be run by a client that authenticates with that key. Properly configured, this would mean that the only thing recipients could do is download the files that this binhost is meant to serve, at which point the need to password-protect the key is greatly reduced.

I concur with Jaglover. The key ought to authenticate as an unprivileged user such as portage, to further confine the actions taken by clients using it.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum