[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: distributing SSH keys in a cluster environment

also sprach Mark Ferlatte <ferlatte@cryptio.net> [2004.10.30.0059 +0200]:
> Very little.  I would use cfengine to push your ssh keys from your
> cfengine host right after FAI.

FWIW, there is no cfengine host (yet). I am still somewhat taken
aback by its complexity. Just reinstalling the machines with FAI
seems simpler and cleaner.

> You could, I suppose allow the nodes to FAI, and generate new
> keys, and have the master scp their correct keys out (ignoring the
> temporary key) and kick sshd.

Well, this is what I was thinking too. Use an unprivileged account
on the master to drop a sentinel, which makes the master distribute
the keys via SSH. That would work, except now the attacker simply
has to disable a machine and take over its IP, drop said sentinel,
and wait for the master to push the SSH keys.

> However, I think this is your best shot for an unattended
> installation where you care about the host keys.

Yeah, possibly you are right.

*This* would be the perfect use for a TPM in the nodes.

> FYI: I use systemimager which is rsync based, so I just end up
> putting the same ssh key on every sim node in the cluster.  Since
> I don't care if node42 is spoofing node21 or or not, this works
> well for me.

We used systemimager for years and it drove us crazy as new hardware
was added and multiple people made changes, causing the images to
get out of sync, and multiple images to be created without people
knowing what they were. Yes, it's a policy issue, really... Now we
have an NFS/LDAP solution managed by FAI, which looks very promising
and flexible.

Please do not send copies of list mail to me; I read the list!
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to: