Changes

From SME Server
Jump to navigationJump to search
1,856 bytes added ,  19:35, 13 July 2011
Why we prefer push monitoring
Line 63: Line 63:  
* Changes can be staged (sync data first, repodata second)
 
* Changes can be staged (sync data first, repodata second)
 
* Less out of sync mirrors for yum}}
 
* Less out of sync mirrors for yum}}
 +
=====Why we prefer push=====
 +
First some background on ssh. Ssh allows people to connect to accounts on different machines in a secure way. Not only are passwords never passed in the clear, once you connect to a machine you are basically guaranteed that future connections will be to the same machine. This prevents many man-in-the-middle attacks.
 +
 +
One capability ssh has is the ability for a user to take the public identity key for a user on another machine and add it to a file of authorized keys on your machine. By default, the user on the other machine (who has the private identity key associated with the public identity key given to you) then has login privileges to your account. It is possible, though, to add text to an authorized key restricting the type of access a person accessing your account using that key has.
 +
 +
So to protect the downstream mirror, the key provided by the upstream mirror has text added to it to limit it to only give the person accessing your account permission to do one thing — start the program on your machine that updates your mirror. Even if someone (an evil third party) was able to break the key, the most they could do is to start the mirror program on your machine. You do not even have to worry about multiple copies of the program being started as a lockfile is used.
 +
 +
On the upstream end, rsync can be configured to restrict who can mirror a given area by username and password. These are totally separate from /etc/passwd so a push server doesn't have to worry about giving others access to their machine. As it is set up, the username and password are passed in the clear. This shouldn't be a problem though, as the worst that can happen is that a third party gains the ability to mirror the Debian pages from that site.
 +
 +
(source: [http://www.debian.org/mirror/push_mirroring Debian: Push mirroring])
 +
 
=====How push works=====
 
=====How push works=====
 
Below is a short description of the push process:
 
Below is a short description of the push process:

Navigation menu