[Mageia-sysadm] progress of the night

Michael Scherer misc at zarb.org
Tue Nov 23 05:14:57 CET 2010


so, following the meeting of yesterday, here is a new summary :
- svn ldap access is ready to roll, the module pam::access_commiters
should work fine. 

I have finally found the issue after a long journey in the code of
openssh and pam_ldap. just for the record, if someone one day see that a
pam module do not work because openssh give " #010#012#015#177INCORRECT
" as password to your pam module, this is because there is a error
before ( in my case, the shell was not installed and this caused openssh
to overwrite the password to protect from timing attack, see
pam_auth.c ).

example :
node svn-server {
  include pam::commiters_access 

this should give access to people from the mga-commiters group, by
forcing the restricted shell on the server that include the class.

- I have also rewrote the restricted shell module.

Following the previous example, you cannot connect to the server.
Someone also need to autorise the access, by adding :

node svn-server {
  include pam::commiters_access 
  include restrictshell::allow_svn 

We can for now use git, svn, repsys ( pkgsubmit ), scp, sftp and rsync.
The 3 last one are not tested, and default configuration requires
tweaking for filtering the path. There is also support for cvs, but I do
not think we will use it.

So basically, we could deploy pam::commiters_access , add the proper
class for svn access, and let people use the svn. We just need to
migrate the local account to ldap, and setup the ssh keys by ourself.

The next steps are :
1) add support for ssh keys handling to catdap
2) deploy a cronjob to checkout keys from ldap to the fs
this part is half done, but if people have suggestions, do not hesitate
( I am not much in favor of using patchs on openssh like openssh-lpk
since they are not upstream )

I would also like that we start to use the class subversion::repository,
as there is lots of goodies included ( and I need to add more ).

Regarding the mailling lists  deployment, I have started to work on
spamassassin integration, using amavis ( as this is the safest way i
know ). Unfortunately, my knowledge is either out of date ( ie, no more
rules_du_jour ) or already setup ( ie all plugins that I usually used
are loaded by default ). So the only customization I have added is rules
compiling from perl to C. I guess I will also look at enabling pyzor,
and maybe others tweak on postgrey as suggested by Luca. 

I didn't tested anything, so if someone deploy it while I sleep, please
test before :). But as i think the default setup should just work fine,
it should not cause real trouble. ( on the other hand, we may need to do
more test on postfix ).

next steps will then be :
1) to test and validate the setup 
2) to create 1 mailling list for testing and to see how and what we can
tweak it ( ie, a guinea pig ml ) 
3) to migrate one by one the current mailling list :
  - subscribers
  - web archives, if possible by preserving url ( I guess we can do some
magic on zarb side for this )
  - gmane 
Mailman can give use archives with mbox, there is ( iirc ) static html
page for web archives, and we have some basic tools to fetch the

There is currently 12 mailling lists.

( blino also did some work, but I will let him talk of this, like :
- explaining the cooldron idea
- the vhost "repository" ( and that he need to add it to dns /o\ )

Michael Scherer

More information about the Mageia-sysadm mailing list