Conversation
ArneTR
requested changes
Apr 27, 2026
| - Each runner or cluster machine that executes measurements uses the matching RSA PEM private key configured in `config.yml` to decrypt the stored SSH key before cloning a repository. | ||
| - The user submits an OpenSSH private key through the Dashboard or command line. This is the key used by Git, through ssh, when cloning the measured repository. | ||
|
|
||
| We do this so that when the GMT Web machine or the database is leaked we do not expose any SSH keys. |
Member
There was a problem hiding this comment.
Would call it Dashboard Machine as this is the naming of the docs so far
|
|
||
| ## Configure the web server to accept SSH keys from users | ||
|
|
||
| On the GMT web/API server, configure an RSA PEM-format public key in `config.yml`: |
Member
There was a problem hiding this comment.
Again, Dashboard machine.
Or machine the Dashboard and API runs on.
|
|
||
| ```yml | ||
| security: | ||
| encryption_public_key_file: ./.rsa/public_key.pem |
Member
There was a problem hiding this comment.
I am not sure relative paths will work. This should be absolute
| openssl rsa -pubout -in private_key.pem -out public_key.pem | ||
| ``` | ||
|
|
||
| Recommended placement on the web/API server: |
|
|
||
| ```yml | ||
| security: | ||
| encryption_private_key_file: ./.rsa/private_key.pem |
| encryption_private_key_file: ./.rsa/private_key.pem | ||
| ``` | ||
|
|
||
| The private key must match the public key configured as `security.encryption_public_key_file` on the GMT web/API server. Keep this private key available only to runner or cluster machines that execute measurements and to administrators who need runner access. |
| @@ -0,0 +1,118 @@ | |||
| --- | |||
| title: "SSH Keys" | |||
Member
There was a problem hiding this comment.
When I would search the docs my search term would be "private repository" as this is what I effectively want to get working.
The term should appear somewhere. Maybe even in the title. SSH Keys is more the means to an end here I feel
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.