I haven't found anything on this, is there a way to do local pairing without starting the assistant (ideally from the CLI)?
The assistant is pretty heavy, does lots of stuff automatically I might not want it to in many situations (commit, sync) and a GUI is often more cumbersome than a CLI in my experience.
The main use-case would be for headless systems where I might want to give a user/machine access to an annex repo without granting them full access to the system.
The assistant's local pairing uses a custom method to discover other assistants on the LAN, but then all it does is exchange ssh public keys, and each configures ssh to let the other's ssh public key in, limiting it to running
git-annex-shelland limiting git-annex-shell to access the one repository.It's pretty easy to set up the same kind of ssh public key configuration yourself manually. Just generate a public key, and on the other host add it to
.ssh/authorized_keys. The git-annex-shell man page has an example of what to put inauthorized_keysto fully lock it down.There could be room in
git-annex p2pto implement something like the assistant's local pairing. But I don't know if it's called for since setting up a locked down ssh key is straightforward, at least compared with its current use case of setting up a tor hidden service and limiting who can access it.Setting up locked-down ssh keys may seem trivial to you since you've thoroughly investigated the topic for implementing them for the assistant's pairing mechanism but I'm pretty sure your average git-annex user doesn't know how to do that or would do it wrong. I certainly wouldn't trust myself doing that on my own.
Support for pairing on the CLI via P2P was implemented not too long ago (which is great!) but I'd like to stick with regular IP as it's more efficient and I've got my network set up for remote access pretty well already.