step 4) I want to get them from OpenSolaris.org.
First off the gate repo *is* going outside one day.
So why are we saying we will accommodate *not* setting up ssh-keys on os.o?
Lets cut to the chase and make em do it right this time around.
Yes I'm sure we'll have to make an exception for some mega important
project... we are flexible on the gate.
Additionally, I'm going to pull over keys from hg.os.o periodically.
I am *not* setting up a web page to accept keys. I am not interested in
processing a gazillion (ok even a handful) of keys all the time. The tonic
team has solved this problem. I'm not re-inventing that wheel.
So that means even if I put your key in temporarily it will get wiped out
by the next update from OpenSolaris.
Also I think we need to caution everybody that not all homedirs are
kerberized. That means an empty pass phrase is "dangerous". I'm not
mega worried about people impersonating one another, but as far as I'm
concerned, if a push comes in that matched your public key then you are
responsible. Period. There is no way to overstate that point.
Finally my script is set up to get your key iff you set your email as
somebody "@sun.com". Capitalization doesn't matter. I can probably be
talked out of that if need be.
They are public keys. Which by definition means they should all be safe
for me
to put anywhere in public (but nobody but us gk's will have access to them
anyway). So even OpenSolaris devs shouldn't be worried. Niether me, Sun,
nor OpenSolaris have their private key. And we don't want it.
-dvd
Mark J. Nelson wrote:
>
> 4 of N
>
> This one internal-only, though that's starting to seem more and more
> arbitrary.
>
> --Mark
>
> ------------------ cut here ------------------
> To: onnv-gate at onnv.eng.sun.com, on-all at sun.com
> Subject: Flag day: Mercurial: What to expect: ssh access to the gate
>
> Flag day: starting on Tuesday, August 5, if you plan to integrate
> changes to the ON gate, you must first have a public ssh key on file
> with the gatekeepers.
>
> As previously mentioned, the Mercurial ON gate will be write-only via
> ssh to a shared account. That account is "onhg," so your push command
> will look like this:
>
> hg push ssh://onhg at onnv.eng.sun.com//export/onnv-gate
>
> I'll send more details on how to push your changes in a separate note.
>
> In order for this to succeed, the shared "onhg" account must have your
> public ssh key on file.
>
> 1. If you already have an ssh key on opensolaris.org, and you plan to use
> the same key for access to the gate, then you're all set. We have
> seeded our public key file with information from opensolaris.org. If
> you want to use a different key, just let us know (step 4 below).
>
> 2. If you do not have a key setup on opensolaris.org, but you already
> have
> an ssh key that you want to use, you may skip ahead to step 4.
>
> 3. To generate an ssh key pair, follow step 1 ("Generating a key
> pair") of
> the instructions on the OpenSolaris SSH key help page [1].
>
> 4. XXX Dave, I need your input as to how you want these. Here's my first
> pass, and this section will need review:
>
> Before you attempt to push to the gate, we need your public key. You
> should
>
> ( echo "your.email at Sun.COM" ; cat ~/.ssh/id_dsa.pub ) > \
> /ws/onnv-gate/public/keys/yourlogin
>
> and then send e-mail to XXX-key-submission-tbd (gk? gatekeeper?
> separate alias? automated script?)
>
> If you use multiple ssh keys, you might also need the following entry
> in your ~/.ssh/config file:
>
> HostName onnv.sfbay
> IdentityFile ~/.ssh/id_dsa
>
> where "id_dsa" would be the filename containing the private key that
> corresponds to the public key that you provided.
>
> Questions to gatekeeper at onnv.eng.sun.com.
>
> --Mark
>
> [1] http://opensolaris.org/os/project/website/ssh_instructions/
>
