| | 1 | This may eventually turn into something with more documentation on the new user management features in ORBIT Trac. |
| | 2 | |
| | 3 | == The {{{useradmin}}} account == |
| | 4 | |
| | 5 | The useradmin account has permission to do stuff like {{{mkdir /export/home/foo}}} on repository2. The idea is that automated processes do stuff by logging into it using ssh keypairs. For example, here's a quick test to see if you can do things as useradmin@repostiory2 as www-data on external1: |
| | 6 | |
| | 7 | {{{ |
| | 8 | (Wed Sep 10 14:38:43) (root@external1:~) |
| | 9 | bash> su - www-data |
| | 10 | www-data@external1:~$ ssh-add |
| | 11 | Could not open a connection to your authentication agent. |
| | 12 | www-data@external1:~$ ssh-agent |
| | 13 | SSH_AUTH_SOCK=/tmp/ssh-MBTyO32174/agent.32174; export SSH_AUTH_SOCK; |
| | 14 | SSH_AGENT_PID=32175; export SSH_AGENT_PID; |
| | 15 | echo Agent pid 32175; |
| | 16 | www-data@external1:~$ SSH_AUTH_SOCK=/tmp/ssh-MBTyO32174/agent.32174; export SSH_AUTH_SOCK; |
| | 17 | www-data@external1:~$ SSH_AGENT_PID=32175; export SSH_AGENT_PID; |
| | 18 | www-data@external1:~$ echo Agent pid 32175; |
| | 19 | Agent pid 32175 |
| | 20 | www-data@external1:~$ ssh-add |
| | 21 | Identity added: /var/www/.ssh/id_rsa (/var/www/.ssh/id_rsa) |
| | 22 | www-data@external1:~$ ssh useradmin@repository2 sudo mkdir /export/home/corge |
| | 23 | www-data@external1:~$ ssh useradmin@repository2 sudo rmdir /export/home/corge |
| | 24 | }}} |
| | 25 | |
| | 26 | The lack of password protection on the private key in {{{~www-data/.ssh}}} is a concern, but pretty much the best way to go when www-data is going to be all automated web scripts. Feel free to add more public keys to {{{~useradmin/.ssh/authorized_keys}}}. |
