Re: distributing SSH keys in a cluster environment
On Fri, 29 Oct 2004 19:03:02 +0200, Martin wrote in message
<[🔎] 20041029170302.GA22871@cirrus.madduck.net>:
> Dear wizards,
>
> [I assume cluster stuff to be better here than -user. Please tell me
> if you think otherwise]
>
> We have just converted our 40 node cluster to FAI and now it's
> running shiny sarge at the press of the on button. Thanks to Thomas
> Lange for a really incredible solution (FAI), and Mark Burgess for
> cfengine2!
>
> As far as I can tell, there remains one problem: we use SSH
> hostbased authentication between the nodes, and while I finally got
> that to work, every machine gets a new host key on every
> reinstallation, requiring the global database to be updated. Of
> course, ssh-keyscan makes that easy, but people *will* forget to
> call it, and I refuse to automate the process because there is
> almost no intrusion detection going on, so that it would be trivial
> to take a get access to the cluster with a laptop. As it stands,
> I kept the attack vector small with respect to the data stored on
> the cluster, physical security is good, and the whole thing is
> behind a fascist firewall anyway.
>
> So what can I do about these SSH keys?
..have each node scp those keys and whatever else you want from
the boot server, say from each node's /etc/rc.local. _Combine_ some
node hardware based ID schemes, say nics mac addresses, cpuid, etc.
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
Reply to: