also sprach Mark Ferlatte <ferlatte@cryptio.net> [2004.10.30.0059 +0200]: > Very little. I would use cfengine to push your ssh keys from your > cfengine host right after FAI. FWIW, there is no cfengine host (yet). I am still somewhat taken aback by its complexity. Just reinstalling the machines with FAI seems simpler and cleaner. > You could, I suppose allow the nodes to FAI, and generate new > keys, and have the master scp their correct keys out (ignoring the > temporary key) and kick sshd. Well, this is what I was thinking too. Use an unprivileged account on the master to drop a sentinel, which makes the master distribute the keys via SSH. That would work, except now the attacker simply has to disable a machine and take over its IP, drop said sentinel, and wait for the master to push the SSH keys. > However, I think this is your best shot for an unattended > installation where you care about the host keys. Yeah, possibly you are right. *This* would be the perfect use for a TPM in the nodes. > FYI: I use systemimager which is rsync based, so I just end up > putting the same ssh key on every sim node in the cluster. Since > I don't care if node42 is spoofing node21 or or not, this works > well for me. We used systemimager for years and it drove us crazy as new hardware was added and multiple people made changes, causing the images to get out of sync, and multiple images to be created without people knowing what they were. Yes, it's a policy issue, really... Now we have an NFS/LDAP solution managed by FAI, which looks very promising and flexible. -- Please do not send copies of list mail to me; I read the list! .''`. martin f. krafft <madduck@debian.org> : :' : proud Debian developer, admin, user, and author `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
Attachment:
signature.asc
Description: Digital signature