ssh - better solution, perhaps
Mark Hedges
hedges at recyclecomputer.com
Tue Mar 25 07:09:44 CET 2003
Here's how it seems it should work... comments?
make-fai-nfsroot removes $NFSROOT/etc/ssh/ssh_host_*key*
make-fai-nfsroot removes $NFSROOT/root/.ssh/*
make-fai-nfsroot changes $NFSROOT/etc/ssh/sshd_config:
HostKey /tmp/ssh/ssh_host_rsa_key
HostKey /tmp/ssh/ssh_host_dsa_key
make-fai-nfsroot copies $SSH_IDENTITY (public user key)
to $NFSROOT/root/.ssh/authorized_keys
make-fai-nfsroot copies /etc/ssh/ssh_host_*_key.pub
to $NFSROOT/root/.ssh/known_hosts
and $NFSROOT/etc/ssh/ssh_known_hosts
upon booting install client:
rcS.fai generates new host keys in /tmp/ssh for install client
rcS.fai generates new id keys in /tmp/ssh for install client root acct
Oh, darn it. Then how do we get the new id keys back to
the fai at server:~/.ssh/authorized_keys file, without typing?
Ultimately it seems the loguser login key will be compromised
by needing to open it through the cleartext NFS mount.
But with something like this approach, the server host key
will remain secure.
I use boot floppies, so I could generate an id pair that
lives on the floppy. But this does not help netboot users.
--mark--
More information about the linux-fai
mailing list