Re: distributing SSH keys in a cluster environment

To: debian-isp@lists.debian.org
Subject: Re: distributing SSH keys in a cluster environment
From: Blair Strang <bls@nanocorp.net.nz>
Date: Sat, 30 Oct 2004 13:37:10 +1300
Message-id: <[🔎] 4182E236.8040205@nanocorp.net.nz>
In-reply-to: <[🔎] 20041029235059.GF30175@radix.cryptio.net>
References: <[🔎] 20041029170302.GA22871@cirrus.madduck.net> <[🔎] 20041029225932.GE30175@radix.cryptio.net> <[🔎] 20041029233533.GB3839@cirrus.madduck.net> <[🔎] 20041029235059.GF30175@radix.cryptio.net>


Based on a cursory look at how FAI works, if you're worried about
a 'laptop attack' -- i.e, an untrusted person with access to your network
media -- I think there are more problems than just SSH keys.

None of the tftp/dhcp/pxe stuff is really designed with security
in mind.  It seems to me that anyone could compromise an initial install
by messing with the boot process.  Noisy, but do-able.

[Unless I've misunderstood the threat model you're positing here]

From this point of view, I can see no reason not to just jigger a fixed
host key for the initial install, followed by a keychange over SSH.  Mark's
suggestion also seemed good.

Regards,

    Blair.

Reply to:

Follow-Ups:
- Re: distributing SSH keys in a cluster environment
  - From: martin f krafft <madduck@debian.org>

References:
- distributing SSH keys in a cluster environment
  - From: Martin F Krafft <krafft@ailab.ch>
- Re: distributing SSH keys in a cluster environment
  - From: Mark Ferlatte <ferlatte@cryptio.net>
- Re: distributing SSH keys in a cluster environment
  - From: martin f krafft <madduck@debian.org>
- Re: distributing SSH keys in a cluster environment
  - From: Mark Ferlatte <ferlatte@cryptio.net>

Prev by Date: Re: distributing SSH keys in a cluster environment
Next by Date: Re: distributing SSH keys in a cluster environment
Previous by thread: Re: distributing SSH keys in a cluster environment
Next by thread: Re: distributing SSH keys in a cluster environment
Index(es):
- Date
- Thread