[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: distributing SSH keys in a cluster environment



On Fri, 29 Oct 2004 19:03:02 +0200, Martin wrote in message 
<[🔎] 20041029170302.GA22871@cirrus.madduck.net>:

> Dear wizards,
> 
> [I assume cluster stuff to be better here than -user. Please tell me
> if you think otherwise]
> 
> We have just converted our 40 node cluster to FAI and now it's
> running shiny sarge at the press of the on button. Thanks to Thomas
> Lange for a really incredible solution (FAI), and Mark Burgess for
> cfengine2!
> 
> As far as I can tell, there remains one problem: we use SSH
> hostbased authentication between the nodes, and while I finally got
> that to work, every machine gets a new host key on every
> reinstallation, requiring the global database to be updated. Of
> course, ssh-keyscan makes that easy, but people *will* forget to
> call it, and I refuse to automate the process because there is
> almost no intrusion detection going on, so that it would be trivial
> to take a get access to the cluster with a laptop. As it stands,
> I kept the attack vector small with respect to the data stored on
> the cluster, physical security is good, and the whole thing is
> behind a fascist firewall anyway.
> 
> So what can I do about these SSH keys?

..have each node scp those keys and whatever else you want from 
the boot server, say from each node's /etc/rc.local.  _Combine_ some
node hardware based ID schemes, say nics mac addresses, cpuid, etc.

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.



Reply to: