# Distcc and SSH

## nullzer0

I am using distcc with tcp connections with problem.  In an effort to secure the connection I started looking into the ssh solution.  I added the username@host in my /etc/distcc/hosts file.  I am able to ssh without a password from the command line using the ssh-keygen pub/priv keys, But when I start a compile with distcc it prompts me for a password.  If I type it in it works, but I don't want to type in a password each time it tries to make a connection.

Any thoughts on what I am missing?

Thanks,

Aaron

----------

## hielvc

Look up "keychain" by Daniel Robins. Try a forum Search Here alink to the Doc's Gentoo Linux Documentation - - Keychain

----------

## pjp

Moved from Other Things Gentoo.

----------

## nullzer0

Thanks for the reply, I tried using keychain but I am getting the same results from an emerge.

any other thoughts?

----------

## korngerd

 *nullzer0 wrote:*   

> Thanks for the reply, I tried using keychain but I am getting the same results from an emerge.
> 
> any other thoughts?

 

I had the same problem but fixed (at least this bug) by making an .ssh directory in /var/tmp/portage, copying my id_rsa to /var/tmp/portage/.ssh/, and cat'ing the id_rsa.pub to the remote host's ~/.ssh/authorized_keys.  Also, make sure that you have the /var/tmp/portage/.ssh chown'ed by portage:portage and appropriately chmod'ed (644 for everything except id_rsa, which should be 600).  The reason for this is because emerge switches to the portage user, and your portage user's home is usually /var/tmp/portage (if not, check /etc/passwd).  The portage user has to have its own .ssh directory and RSA/DSA key associated with it.  Hope this helps  :Wink: 

----------

## bigfunkymo

just copying your keys may be a not-so-smart idea...

generate a new key pair JUST for distcc that way the distcc process cannot be used to gain your normal user or possibly superuser access.

----------

## korngerd

 *bigfunkymo wrote:*   

> just copying your keys may be a not-so-smart idea...
> 
> generate a new key pair JUST for distcc that way the distcc process cannot be used to gain your normal user or possibly superuser access.

 

Yup, true - copying from root's .ssh is a very bad idea.  Try to do a 'ssh-keygen -t rsa -b 2048' from some normal user, and save it as ~/ssh-for-portage/id_rsa or something.  Then, copy the ~/ssh-for-portage/id_rsa to /var/tmp/portage, and copy the ~/ssh-for-portage/id_rsa.pub to the "server's" ~/.ssh/authorized_keys file (or append it, actually).  That should get you all set (be sure to remove the ~/ssh-for-portage/ directory and chown portage:portage the /var/tmp/portage/.ssh directory recursively)  :Wink: 

----------

## astrodelgato

I'm not having any luck with this. I'm getting this error:

```
[sshd] Authentication refused: bad ownership or modes for directory /var/tmp/portage
```

I have triple checked my permissions for this and I have set up ssh for numerous other users and machines, so I generally know how to do it. Is there something unique about this directory or the portage user? I changed the portage user's shell to /bin/bash, but that didn't help.

----------

## korngerd

 *astrodelgato wrote:*   

> I'm not having any luck with this. I'm getting this error:
> 
> ```
> [sshd] Authentication refused: bad ownership or modes for directory /var/tmp/portage
> ```
> ...

 

Hm..  I'm not sure if this'll help you, but this is what my /var/tmp/portage/.ssh/ directory looks like:

```
506: orangerd portage # la .ssh

total 32

drwx------    2 portage portage  4096 Apr 28 03:53 .

drwxrwxr-x  548 portage portage 16384 May 13 05:06 ..

-rw-------    1 portage portage  1675 Apr 27 15:13 id_rsa

-rw-r--r--    1 portage portage   399 Apr 27 15:13 id_rsa.pub

-rw-r--r--    1 portage portage   223 Apr 28 03:53 known_hosts
```

Basically, /var/tmp/portage is obviously portage:portage owned at 775 permissions.  /var/tmp/portage/.ssh should be portage:portage owned with 700 permissions.  /var/tmp/portage/.ssh/id_rsa should be portage:portage owned with 600 permissions.  You probably also want to keep /var/tmp/portage/.ssh/known_hosts to include your valid "distcc servers" owned by portage:portage with 644 permissions.

If that doesn't seem to work, can you try posting your /var/tmp/portage/.ssh perms - `ls -la /var/tmp/portage/.ssh`?

Edit: You also should keep portage's shell to /bin/false unless you have a really compelling reason to change it (if I remember correctly, ssh uses a different mechanism to specify the "logging in user"'s shell..  I think..).

----------

## astrodelgato

I removed group write permissions from /var/tmp/portage and after that I was able to ssh in as portage (provided that I enabled /bin/bash in /etc/passwd for portage on both ends).

However, it still doesn't work with distcc. The client emerging the ebuild is still getting:

```
Permission denied (publickey,keyboard-interactive)
```

(Btw, I had set the portage shell back to /bin/false on all machines at this point.) Also, the server is not showing any ssh activity in it's logs at all, so I am having a difficult time tracking down the problem.

Is the user in my /etc/distcc/hosts portage@myserver, or is it a different user?

*EDIT*

One other thing, I'm not using keychain. Seems like that would be a security risk to have that running on my remote server, but maybe I'm wrong.

I also noticed that it is looking for root's keys rather than portage. I tried adding this to /root/.ssh/config:

```
Host rally

        User portage

        IdentityFile /var/tmp/portage/.ssh/id_dsa
```

 on the client, and that seemed to get the keys correct, but now the distcc is failing to send to rally with this error:

```
distcc[30359] (dcc_parse_hosts_file) load hosts from /etc/distcc/hosts

distcc[30359] (dcc_parse_hosts) found ssh token "portage@rally"

distcc[30359] (dcc_check_backoff) still in backoff period for portage@rally

distcc[30359] (dcc_remove_disliked) remove portage@rally from list

distcc[30359] (dcc_build_somewhere) Warning: failed to distribute, running local                                                                 ly instead
```

----------

## Alighieri

I just set this up on my laptop at home so I can compile on my server at work. First I copied root's id_rsa.pub key to the server and put it in authorized_keys. I verified password-free access to root@server from the laptop. I don't see why this is a big security risk since it only involves copying the public key. (I suppose it would not be good if the laptop were stolen.) The private key is left untouched. I then put "root@server/8" in my /etc/distcc/hosts file. Next I turned off the distcc daemon on the server (no need either to run it on the laptop). After the appropriate changes to make.conf (FEATURES, MAKEOPTS, etc.), it works perfectly. You'll get better performance if you put

```

Host <server>

   Compression yes

   ControlMaster yes

```

in root's .ssh/config file (on the laptop).

This solution does run distcc as root on the server in xinetd mode (once for each compilation). Not sure if it would be possible for someone else to connect to these instances of distcc during their brief existence. The machine I'm connecting to is behind a firewall and so this is not an issue in my case. [Note: just checked this and it seems the distcc instances are dropping root privileges and running as user distcc.]

----------

