geneguvo
commented
10 years ago Hi Manuel,
When you need to run ProxySeed to upload credentials to myproxy, it needs to have access to the usercert/key.pem. Since the user home where these files are found is on his home on AFS, we want to make sure the ssh initializes the session with a kerberos token and afs ticket, that's why we disable the pubkey authentication.
Besides that, the userkey.pem is protected with a passphrase, so this part of the script really wants to bug the user for: getting a kerberos token and for unlocking his key.
So I don't think you can robotize this step without breaking a few security rules. What we could do is add an option to ignore if the proxy seed fails and them after-wards you drop the proxy there some other security approved way (i.e. you generate/renew it properly elsewhere a set a cronjob to copy the proxy to your devvm).
But can you remind me why DBS needs a proxy? is this DBSMigration accessing DBS3 APIs?
Cheers, Diego.
giffels
Hi Diego, Alan,
is there any reason why -o PubkeyAuthentication=no is used in https://github.com/dmwm/deployment/blob/master/admin/InstallDev#L71 ? We (DBS 3) have set-up an environment, that allows us to install dbs3 vms running under the dbs3 service account without knowing the password by using public keys. Unfortunately, that is not working anymore. Do you think we can remove that option again, at least for the InstallDev?
Thanks, Manuel