[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: distributing SSH keys in a cluster environment



On Sat, Oct 30, 2004 at 12:37:31AM +0200, martin f krafft wrote:
> also sprach Craig Sanders <cas@taz.net.au> [2004.10.30.0015 +0200]:
> > 3. when a machine is being built or rebuilt, install the correct
> > ssh keys in /etc/ssh.  they can be fetched via password-protected
> > http or https or ftp or even tftp, then decrypted and untarred.
> > since they're encrypted you don't have to be completely paranoid
> > about them - normal security precautions are adequate. 
> 
> well, the decryption requires a password, so the installation is not
> unattended anymore. since we have a number of headless number
> crunchers in the cluster, this is essential.

you could do it without the encryption and pass-phrase (or write an expect type
script but that would require putting the pass-phrase in plaintext in the
script, which defeats the purpose of having a password), but then you'd have to
be much more careful about access to the key files.

> i am beginning to believe that i am looking for a solution where non
> exists...

you probably wont get it completely automated if you care about security of the
ssh keys.  mostly automated with some manual intervention is the best you can
expect.

of course, you can be a bit looser with with keys if you're confident that
physical access to the machines AND to the network segment they are on is
properly restricted, AND you have firewall or other access rules to prevent
external machines from fetching the key files. 

craig

-- 
craig sanders <cas@taz.net.au>           (part time cyborg)



Reply to: