On Sun, Jun 01, 2008 at 11:10:42AM +0100, Philip Hands wrote: > While this is initially for our (DSA's) benefit, in that it makes applying > global changes easier, it's also for user's benefit.
Er, "we're taking away your options for your own good"? :) > -- compare the effort required to ensure that there are no copies of a key > (that was on a stolen laptop, say), on every debian host you _might_ have > copied it to, to the effort of sending a single mail and knowing you're > done. > If there's some reason that you want specific keys to only give access > to specific hosts, and if the reason justifies the effort, I suppose it > would be possible to come up with a way of tagging which hosts any > particular key should give access to in LDAP -- is that why you're > worried about the loss of this feature? The particular use case, which Peter is familiar with already since he's been having to field requests from the d-i porters, is that daily builds of the installer images run as unattended jobs and are rsync'ed to gluck using passphraseless keys. Those of us who are security-conscious don't want those keys to be usable for anything aside from the single task of running an rsync server on a single system. So tagging a key as belonging to a particular host is insufficient - we need the full authorized_keys semantics for setting key options (from=, command=, no-port-forwarding, no-X11-forwarding, at least). There is a workaround available in the form of "ping weasel, get a symlink that lets you do your mirroring thing on gluck", but it's still unsatisfactory in that it remains easier for users to do the wrong thing by giving their single-use keys global rights via LDAP than to coordinate with DSA. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer http://www.debian.org/ [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
