Hide password or Prompt for password

Prunk Dump prunkdump at gmail.com
Tue Feb 4 20:39:10 CET 2014


2014-02-03 Toomas Tamm <tt-fai at kky.ttu.ee>:
> On Mon, 2014-02-03 at 14:41 +0100, Prunk Dump wrote:
>
>> What do you thinks about this method ?
>>
>> 1) I generate a ssh public key on the FAI server.
>
> You always generate a key-pair: private and public. It is irrelevant how
> you deliver a public key, because, by its nature, it is not secret.
>
> ssh uses two types of keys: host keys are used to identify the hosts,
> and user keys are for actually logging in (or getting/putting a file via
> scp). For passwordless, prompt-free login the connecting side needs to
> know the public host key of the server (typically stored on the client
> in a known_hosts file or similar) and a private key of the user who is
> logging in. The public key of the user is normally stored in an
> authorized_keys file or its equivalent on the host where you are logging
> in to.
>
>> 2) I make a hook that query the FAI server's root password when the
>> install start on the client. This hook copy the FAI server's public
>> key on the host.
>
> Delivering the host (public) key is trivial, because it is public and
> you can use NFS, fcopy, or any other method. There is nothing to keep
> secret here. Having the correct key just keeps ssh from asking you for
> confirmation during the first connect.
>
> It is more complicated (on the client) to get hold of the password or
> secret key for logging in to the FAI server (or other server which has
> the secrets which your client needs to use). Indeed, you may first query
> for a password on the terminal (which will violate the principle of
> "unattended install" - depending on your situation this may be anything
> from a minor annoyance to a complete show-stopper), then use that
> password to fetch the secret key, and then use that to get all the rest.
> Or you may skip the secret key part and just fetch a tar-file with all
> the necessary secrets.
>
>> 3) When the install is finished. A script on the server query the SSH
>> passphrase and the samba4 password and send it to the clients through
>> SSH.
>
> This can be prepared in advance, and delivered as part of (2). You may
> also do it at any later time, if you have properly stored the secret
> key.
>
>> The advantage is that a can put the password just after the PXE boot.
>> And this is unsure the identity of the host.
>>
>> Is there a security issue that I forget ?
>
> I would not use root account on the FAI server for moving these secrets
> around. Make a special account which just has the relevant files in its
> home directory. So even if someone manages to get hold of the keys, they
> will not get immediate root access to your FAI server. Putting the host
> name or other identifying information in the file name will make your
> life easier as well.
>
> Regards,
>
> Toomas Tamm


Thank you Toomas.

If I understand correctly, the main problem is to identify the host.
On my open network this can be only done by be physically present when
launching the FAI install right ? So I need a way to be sure that the
client send it's identifier to the FAI server so I can ssh him later.
I need to be physically present, and see that the identifier is sent.
After a can count the number of identifiers received by the server and
compare with the number of planned installations.

The best way to identify the host it's his ssh fingerprint or his ssh
public key, no ? But the problem is how send this information with a
FAI hook to the server ?

Can I use faimond to send the host's ssh public key to add it later in
the server's know_hosts file ?

This way I keep the "unattended install" and can administrate the
hosts in a secure way.

Thanks.

Baptiste.


More information about the linux-fai mailing list