ssh - better solution, perhaps

Mark Hedges hedges at
Tue Mar 25 07:09:44 CET 2003

Here's how it seems it should work... comments?

   make-fai-nfsroot removes $NFSROOT/etc/ssh/ssh_host_*key*

   make-fai-nfsroot removes $NFSROOT/root/.ssh/*

   make-fai-nfsroot changes $NFSROOT/etc/ssh/sshd_config:
      HostKey /tmp/ssh/ssh_host_rsa_key
      HostKey /tmp/ssh/ssh_host_dsa_key

   make-fai-nfsroot copies $SSH_IDENTITY (public user key)
      to $NFSROOT/root/.ssh/authorized_keys

   make-fai-nfsroot copies /etc/ssh/ssh_host_*
      to  $NFSROOT/root/.ssh/known_hosts
      and $NFSROOT/etc/ssh/ssh_known_hosts

   upon booting install client:

   rcS.fai generates new host keys in /tmp/ssh for install client

   rcS.fai generates new id keys in /tmp/ssh for install client root acct

Oh, darn it.  Then how do we get the new id keys back to
the fai at server:~/.ssh/authorized_keys file, without typing?

Ultimately it seems the loguser login key will be compromised
by needing to open it through the cleartext NFS mount.

But with something like this approach, the server host key
will remain secure.

I use boot floppies, so I could generate an id pair that
lives on the floppy.  But this does not help netboot users.


More information about the linux-fai mailing list