Hide password or Prompt for password

Toomas Tamm tt-fai at kky.ttu.ee
Mon Feb 3 15:20:43 CET 2014 

On Mon, 2014-02-03 at 14:41 +0100, Prunk Dump wrote:

> What do you thinks about this method ?
> 
> 1) I generate a ssh public key on the FAI server.

You always generate a key-pair: private and public. It is irrelevant how
you deliver a public key, because, by its nature, it is not secret. 

ssh uses two types of keys: host keys are used to identify the hosts,
and user keys are for actually logging in (or getting/putting a file via
scp). For passwordless, prompt-free login the connecting side needs to
know the public host key of the server (typically stored on the client
in a known_hosts file or similar) and a private key of the user who is
logging in. The public key of the user is normally stored in an
authorized_keys file or its equivalent on the host where you are logging
in to.

> 2) I make a hook that query the FAI server's root password when the
> install start on the client. This hook copy the FAI server's public
> key on the host.

Delivering the host (public) key is trivial, because it is public and
you can use NFS, fcopy, or any other method. There is nothing to keep
secret here. Having the correct key just keeps ssh from asking you for
confirmation during the first connect.

It is more complicated (on the client) to get hold of the password or
secret key for logging in to the FAI server (or other server which has
the secrets which your client needs to use). Indeed, you may first query
for a password on the terminal (which will violate the principle of
"unattended install" - depending on your situation this may be anything
from a minor annoyance to a complete show-stopper), then use that
password to fetch the secret key, and then use that to get all the rest.
Or you may skip the secret key part and just fetch a tar-file with all
the necessary secrets.

> 3) When the install is finished. A script on the server query the SSH
> passphrase and the samba4 password and send it to the clients through
> SSH.

This can be prepared in advance, and delivered as part of (2). You may
also do it at any later time, if you have properly stored the secret
key.

> The advantage is that a can put the password just after the PXE boot.
> And this is unsure the identity of the host.
> 
> Is there a security issue that I forget ?

I would not use root account on the FAI server for moving these secrets
around. Make a special account which just has the relevant files in its
home directory. So even if someone manages to get hold of the keys, they
will not get immediate root access to your FAI server. Putting the host
name or other identifying information in the file name will make your
life easier as well.

Regards,

Toomas Tamm

More information about the linux-fai mailing list