<div dir="ltr">I'm not sure what role SKS would play in this, but GPG seems plausible enough. That said, I'm more used to people doing this with SSH keys, and I suspect that's probably an easier and smoother solution.<div>
<br></div><div>y</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Jan 5, 2014 at 9:05 AM, Anil Madhavapeddy <span dir="ltr"><<a href="mailto:anil@recoil.org" target="_blank">anil@recoil.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Oct 15, 2013 at 12:38:41PM +0200, Sylvain Le Gall wrote:<br>
> 2013/10/15 Anil Madhavapeddy <<a href="mailto:anil@recoil.org">anil@recoil.org</a>>:<br>
> > I agree -- I'd like to have a small host for nothing but password and key<br>
> > information, and use that to bounce off to all the other infrastructure<br>
> > hosts. If possible, it would be good not to have any customisation on<br>
> > there at all (or indeed, Internet-facing web services such as admin<br>
> > panels) -- could you host those on another VM?<br>
><br>
> Yes, that was the purpose of my request. I want to have in another VM.<br>
> Given the fact that it will be almost no admin, it would be easy to<br>
> setup and just create a Debian repository there.<br>
><br>
> I do not want to share <a href="http://forge.ocaml.org" target="_blank">forge.ocaml.org</a> or <a href="http://ssh.ocaml.org" target="_blank">ssh.ocaml.org</a> VM, because it<br>
> will be too sensitive. This is the reason of my request, you will<br>
> probably have to set up a VM for those specifically (add my SSH keys<br>
> that I have sent you for setting up forge.o.o and ssh.o.o).<br>
<br>
I'm getting around to creating this VM now, and am looking around for a<br>
good way to encrypt the passwords held on the virtual machine. I notice<br>
several candidates in OPAM that might work.<br>
<br>
Yaron: this might be a mad idea, but should we run SKS and use GPG to<br>
encrypt the keys, so that anyone we add to a ring would get access to the<br>
infrastructure machines? Do you know anyone else that uses SKS to help<br>
with such sysadmin tasks?<br>
<br>
-anil<br>
<br>
<br>
<br>
<br>
><br>
> ><br>
> > Rackspace has a nice facility for setting up internal networks, so we<br>
> > could run SSH on other services only exposed to this bounce box.<br>
> ><br>
> > -anil<br>
> ><br>
> > On Tue, Oct 15, 2013 at 11:27:52AM +0200, Sylvain Le Gall wrote:<br>
> >> Hi all,<br>
> >><br>
> >> TL;DR I would like to create an isolated host <a href="http://infra.ocaml.org" target="_blank">infra.ocaml.org</a> that<br>
> >> contains at least a Debian repository.<br>
> >><br>
> >> I am considering what need to be done to migrate and improve forge.o.o<br>
> >> (right now <a href="http://forge.ocamlcore.org" target="_blank">forge.ocamlcore.org</a>, tomorrow <a href="http://forge.ocaml.org" target="_blank">forge.ocaml.org</a>).<br>
> >><br>
> >> One of the thing that is "extremly" useful is to have a central,<br>
> >> secured hosts holding data repository for all other hosts. In my<br>
> >> current "home" installation, I have one host that contains for<br>
> >> examples my personnal Debian repository. This repository contains<br>
> >> Debian packages that need to be installed on every other hosts and I<br>
> >> use it to distribute home-made program accross all hosts using<br>
> >> standard Debian apt-get scheme, This may also contains some admin<br>
> >> panel/monitoring tools. The hosts is particular because it should be<br>
> >> extra protected against attack, since compromising this hosts can lead<br>
> >> to compromise all other hosts. In other words you should not use it<br>
> >> for public facing products.<br>
> >><br>
> >> Right now, the forge.o.o repository is hosted on the forge.o.o itself<br>
> >> (but it doesn't distribute data to any other hosts).<br>
> >><br>
> >> We may also use a private/public github account to store the<br>
> >> repository, if it makes more sense to you. But in this case, we will<br>
> >> need to figure how to GPG sign the release file.<br>
> >><br>
> >> Here are my questions:<br>
> >> - what would you prefer: dedicated hosts or public github or private<br>
> >> github (less infra disclosure, less possible attack)<br>
> >> - would this kind of central repository be used on other .<a href="http://ocaml.org" target="_blank">ocaml.org</a> hosts ?<br>
> >> - in case you prefer a host: Anil can you set a small instance (1CPU,<br>
> >> 3GB DD, 512MB RAM)<br>
> >> - in case you prefer a github repository: Am I allowed to create a<br>
> >> private/public github repository on <a href="http://ocaml.org" target="_blank">ocaml.org</a> ?<br>
> >> - I will inject some fusionforge packages + custom scripts packages,<br>
> >> OCaml Labs/OCamlPro people do you have some packages to inject as well<br>
> >> ?<br>
> >><br>
> >> Regards<br>
> >> Sylvain<br>
> >> _______________________________________________<br>
> >> Infrastructure mailing list<br>
> >> <a href="mailto:Infrastructure@lists.ocaml.org">Infrastructure@lists.ocaml.org</a><br>
> >> <a href="http://lists.ocaml.org/listinfo/infrastructure" target="_blank">http://lists.ocaml.org/listinfo/infrastructure</a><br>
> >><br>
> ><br>
> > --<br>
> > Anil Madhavapeddy <a href="http://anil.recoil.org" target="_blank">http://anil.recoil.org</a><br>
> > _______________________________________________<br>
> > Infrastructure mailing list<br>
> > <a href="mailto:Infrastructure@lists.ocaml.org">Infrastructure@lists.ocaml.org</a><br>
> > <a href="http://lists.ocaml.org/listinfo/infrastructure" target="_blank">http://lists.ocaml.org/listinfo/infrastructure</a><br>
><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Anil Madhavapeddy <a href="http://anil.recoil.org" target="_blank">http://anil.recoil.org</a><br>
</font></span></blockquote></div><br></div>