distributing SSH keys in a cluster environment

To: debian isp list <debian-isp@lists.debian.org>
Subject: distributing SSH keys in a cluster environment
From: Martin F Krafft <krafft@ailab.ch>
Date: Fri, 29 Oct 2004 19:03:02 +0200
Message-id: <[🔎] 20041029170302.GA22871@cirrus.madduck.net>
Mail-followup-to: debian isp list <debian-isp@lists.debian.org>

Dear wizards,

[I assume cluster stuff to be better here than -user. Please tell me
if you think otherwise]

We have just converted our 40 node cluster to FAI and now it's
running shiny sarge at the press of the on button. Thanks to Thomas
Lange for a really incredible solution (FAI), and Mark Burgess for
cfengine2!

As far as I can tell, there remains one problem: we use SSH
hostbased authentication between the nodes, and while I finally got
that to work, every machine gets a new host key on every
reinstallation, requiring the global database to be updated. Of
course, ssh-keyscan makes that easy, but people *will* forget to
call it, and I refuse to automate the process because there is
almost no intrusion detection going on, so that it would be trivial
to take a get access to the cluster with a laptop. As it stands,
I kept the attack vector small with respect to the data stored on
the cluster, physical security is good, and the whole thing is
behind a fascist firewall anyway.

So what can I do about these SSH keys?

The nodes have a /scratch partition, which is local, but it's
/scratch and thus already by name not suited for permanent storage
of something like the SSH keys.

I could put the keys on NFS, but then they float around the network
for everyone to sniff.

I was thinking of using SSH during the installation to get the right
key from the server, but in order for that to work in the unattended
fashion we require, I must somehow get an SSH privkey to the nodes,
and the same problem reappears in blue.

Using HTTPS, WebDAV, or any other of the securable problems reduces
the challenge to IP/Mac-based authentication, which is easy to
subvert.

So these are the four possible ways I can think of, and not a single
one is satisfactory.

What would you do? What have you done in a similar situation?

-- 
Martin F. Krafft                Artificial Intelligence Laboratory
Ph.D. Student                   Department of Information Technology
Email: krafft@ailab.ch          University of Zurich
Tel: +41.(0)44.63-54323         Andreasstrasse 15, Office 2.18
http://ailab.ch/people/krafft   CH-8050 Zurich, Switzerland
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Spamtraps: krafft.bogus@ailab.ch krafft.bogus@ifi.unizh.ch
 
"the vast majority of our imports come from outside the country."  
                                                      - george w. bush

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: distributing SSH keys in a cluster environment
  - From: Mark Bucciarelli <mark@easymailings.com>
- Re: distributing SSH keys in a cluster environment
  - From: Arnt Karlsen <arnt@c2i.net>
- Re: distributing SSH keys in a cluster environment
  - From: Craig Sanders <cas@taz.net.au>
- Re: distributing SSH keys in a cluster environment
  - From: Mark Ferlatte <ferlatte@cryptio.net>

Prev by Date: Re: nscd: Was Re: long delays with LDAP nss/pam
Next by Date: Re: distributing SSH keys in a cluster environment
Previous by thread: Re: STP (shielded wires )
Next by thread: Re: distributing SSH keys in a cluster environment
Index(es):
- Date
- Thread