Bug#592550: Provide support for SSH-Key authentication (Supports Eucalyptus and Amazon EC2)
On Sep 12, 2011, at 12:04, Bastian Blank wrote:
> On Mon, Sep 12, 2011 at 10:56:05AM -0400, Kyle Moffett wrote:
>> Specifically, my patch allows you enable both password and public-key auth,
>> by preseeding both a password and the authorized_keys URL. If you don't
>> want to enable password authentication, you can preseed "password-disabled"
>> instead.
>
> Please explain the use for this.
>
> Anyway. Please append the key to the initrd instead of using another
> insecure transport. Or are you prepared to actually check the validity
> of the keys?
Bastian,
The intent of this is that the virtualization system provides an HTTP
service on 169.254.169.254 which is unique for each and every VM.
The traffic goes directly to the management plane; it is unspoofable
and unsnoopable, so it just as secure as the virtual hard disks that
you install onto.
Certain provisioning metadata (such as public user SSH keys) can be
obtained from that HTTP server, EG:
http://169.254.169.254/2007-09-19/meta-data/public-keys/0/openssh-key
So the intent is to be able to preseed that URL (which is always the
same value for Amazon EC2 and possibly other virtualization systems)
into the Debian-Installer.
That allows me to start up virtual installers with different security
parameters using the native EC2 provisioning tools, without having to
upload a new image each time.
I assume that if your initramfs includes HTTPS support then you could
also use a secured HTTPS URL, but that's unnecessary for the virtual
infrastructure use-case.
Cheers,
Kyle Moffett
Reply to: