[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: distributing SSH keys in a cluster environment



On Fri, Oct 29, 2004 at 07:03:02PM +0200, Martin F Krafft wrote:
> As far as I can tell, there remains one problem: we use SSH hostbased
> authentication between the nodes, and while I finally got that to
> work, every machine gets a new host key on every reinstallation,
> requiring the global database to be updated. Of course, ssh-keyscan
> makes that easy, but people *will* forget to call it, and I refuse to
> automate the process because there is almost no intrusion detection
> going on, so that it would be trivial to take a get access to the
> cluster with a laptop. As it stands, I kept the attack vector small
> with respect to the data stored on the cluster, physical security is
> good, and the whole thing is behind a fascist firewall anyway.
>
> So what can I do about these SSH keys?

how about something like this:

1. each node should have gnupg installed, with a public and private key shared
between all machines (with a fiendishly long pass-phrase, of course).  this key
set should be used ONLY for distributing the correct ssh keys to each machine.
make a special account for it or specify the config file to use on the gpg
command line when decrypting.

2. keep a copy of each node's ssh keys in individual .tar.gz files on the
master/boot server machine.  each tar.gz file should be encrypted by gnupg for
the key above, and the filename should indicate the node's hostname or
ip address or some other unique identifier that you can remember when you are
building each node.

3. when a machine is being built or rebuilt, install the correct ssh keys in
/etc/ssh.  they can be fetched via password-protected http or https or ftp or
even tftp, then decrypted and untarred.  since they're encrypted you don't have
to be completely paranoid about them - normal security precautions are
adequate. 

this can be done before ssh is installed (in which case, the post-install
script won't generate new keys), or it can be done after ssh is installed (in
which case, sshd needs to be restarted after the keys are changed).


craig


-- 
craig sanders <cas@taz.net.au>           (part time cyborg)



Reply to: