Dear wizards, [I assume cluster stuff to be better here than -user. Please tell me if you think otherwise] We have just converted our 40 node cluster to FAI and now it's running shiny sarge at the press of the on button. Thanks to Thomas Lange for a really incredible solution (FAI), and Mark Burgess for cfengine2! As far as I can tell, there remains one problem: we use SSH hostbased authentication between the nodes, and while I finally got that to work, every machine gets a new host key on every reinstallation, requiring the global database to be updated. Of course, ssh-keyscan makes that easy, but people *will* forget to call it, and I refuse to automate the process because there is almost no intrusion detection going on, so that it would be trivial to take a get access to the cluster with a laptop. As it stands, I kept the attack vector small with respect to the data stored on the cluster, physical security is good, and the whole thing is behind a fascist firewall anyway. So what can I do about these SSH keys? The nodes have a /scratch partition, which is local, but it's /scratch and thus already by name not suited for permanent storage of something like the SSH keys. I could put the keys on NFS, but then they float around the network for everyone to sniff. I was thinking of using SSH during the installation to get the right key from the server, but in order for that to work in the unattended fashion we require, I must somehow get an SSH privkey to the nodes, and the same problem reappears in blue. Using HTTPS, WebDAV, or any other of the securable problems reduces the challenge to IP/Mac-based authentication, which is easy to subvert. So these are the four possible ways I can think of, and not a single one is satisfactory. What would you do? What have you done in a similar situation? -- Martin F. Krafft Artificial Intelligence Laboratory Ph.D. Student Department of Information Technology Email: krafft@ailab.ch University of Zurich Tel: +41.(0)44.63-54323 Andreasstrasse 15, Office 2.18 http://ailab.ch/people/krafft CH-8050 Zurich, Switzerland Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver! Spamtraps: krafft.bogus@ailab.ch krafft.bogus@ifi.unizh.ch "the vast majority of our imports come from outside the country." - george w. bush
Attachment:
signature.asc
Description: Digital signature