<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_extra"><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I had seen the new "create push-pem" option and gave it a try today. I<br>
see that it does indeed create a different key with a different command<br>
in the authorized_keys file.<br>
<br>
One question remains though and this stems back to bug #<div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline"></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;display:inline">
</div>1091079.<br>
push-pem expects you to have setup passwordless SSH access already so<br>
what is the point of adding further lines to authorized_keys when<br>
general access is already allowed? Surely this is bad for security?<br>
Wouldn't it be better for push-pem to prompt for a password so that<br>
only the required access is added?<br></blockquote><div><br><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">push-pem expects password less SSH b/w the node where the CLI is executed and a slave node (the slave endpoint used session creation). It then adds master's SSH keys to <i>authorized_keys</i> on all slave nodes (prepended with command=... for restricting access to gsyncd). As you said, prompting for password is definitely better and should be thought of.<br>
<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Non-root geo-replication does not work as of now (upstream/3.5). I'm in the process of getting in to work (patch <a href="http://review.gluster.org/#/c/7658/">http://review.gluster.org/#/c/7658/</a> in gerrit). Even with this you'd need password less SSH to one of the nodes on the slave (to an unprivileged user in this case). Your argument of prompting for password still holds true here.<br>
<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">I see the document link you mentioned in BZ #1091079 (comment #2) still points to old style geo-replication (we'd need to correct that). Are you following that in any case? Comment #1 points to the correct URL.<br>
</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Thanks,<br>-venky<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">
IRC: overclk on #freenode<br></div></div></div></div></div>