> > > > > It's probably better to use distcc over ssh, using an ssh-agent > > > > > and PKI authentication. > > > > How would ssh and PKI be set up in > > > > the workflow? It isn't mentioned here: > > > > http://www.gentoo.org/doc/en/distcc.xml > > > > > > 1) On the server, set up the shell account that will use distcc via > > > ssh. > > > 2) On the client, generate the private key for that account and > > > use ssh-copy-id to give the server the public key. > > > 3) On the server, if possible, disable password logins to force the > > > use of the private key for that user. > > > 4) On the client, add a line like [EMAIL PROTECTED] to your > > > distcc_hosts. > > > 5) Prior to invoking distcc on the client, start > > > an ssh-agent (I prefer the keychain "meta-"agent.) and optionally add > > > your private key to the agent. (If you don't start an agent, each > > > compile that goes to an ssh host will ask for a password -- very > > > troublesome with parallel make; If you don't add your private key to > > > the agent, you'll get prompted for the passphrase the first time you > > > need a key -- still moderately troublesome.) > > > > > > There is no need to run distccd on the server at all. You /will/ need > > > sshd. > > > > It sounds like this would make the remote > > distcc idea as secure as ssh and I won't have to worry about the fact > > that distcc wasn't built with security in mind. Is that right? > > Yes. Since you aren't running the distccd server it's lack of security is > not concern for you. You'll be depending on the security of ssh. While > not completely spotless (e.g. the zlib vulnerability bit openssh) it was, > at least, designed with security in mind.
Nice. > > Also, > > I'm the only user on all of my systems so it would be OK to use plain > > ssh without PKI right? > > Unfortunately, no. Not because it's less secure (though, it might be > depending on the strength of your passwords vs passphrases), but because > there's no such thing (AFAIK) as an ssh-password-agent. This means that > each compile job has to ask you for the password -- that's not gonna be > real useful, most likely. See the parenthetical notes at the end of step > 5. So you're saying if I don't use PKI, the remote system is going to prompt me for a password after I'm already logged in? You say "each compile that goes to an ssh host will ask for a password". At what point in the emerge process does this happen? - Grant -- gentoo-user@gentoo.org mailing list
