on Mon, Jan 10, 2005 at 08:37:06PM -0800, ridge (ridge236@yahoo.com) wrote: > Hello all, > > I'm casting about for suggestions or recommendations for a > Debian-based "rescue" CD that would be appropriate for maintenance of > a "headless" machine--i.e., one with no monitor, keyboard or mouse. How about KVM (possibly networked) or serial console? These increase your flexibility markedly. > The machine is configured to boot from CD if one is available, so it > should be a matter of just popping the CD in the drive and flipping a > switch. All hardware detection needs to be automatic, and done without > any user intervention, of course, as none is really possible. No video > card detection is needed, since there's no video. Neither is X needed. > The other requirement is that the CD provide root access over ssh, > either directly or through sudo. > > Any thoughts? I've looked through the standard Knoppix/Mepis/Ubuntu, > but most of them are obviously not engineered with this task in mind. > There must be something that is, right? Think about this for a moment: - You want to boot removable media. - You want to provide (presumably authenticated) networked services from same. There's some pretty clear reasons why this can't be done on a general basis. Namely: every version of the bootable system would have the same authentication tokens. E.g.: same password. "But it's just a Knoppix (or foo...) system", you say? Well, yeah. But underneath Knoppix is the disk of the system being rescued or used, including all data on it. Would be a huge security issue. Most bootable disks are readily modified, with documentation describing how to do this (Knoppix and LNX-BBC would be good starting points). What you need to do is: - Copy your public SSH key to the account(s) you wish to remotely access. This means you *can* access the system, but other users can't. That's $HOME/.ssh/authorized_keys. Make sure you get permissions straight. - Check the SSH configuration and ensure it allows RSAkey, but *not* password, authentication. - Modify sysvinit to run sshd by default at boot. - Test the configuration. That should give you a system that boots, finds network (provided a DHCP server), and allows SSH connections from a known key. All in all, pretty secure. Of course, you're limiting access to a single key, if you don't have the private part of the keypair, you're SOL. Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Economics doesn't change ethics. It makes giving up hypocrisy cheaper. - Stephen J. Turnbull
Attachment:
signature.asc
Description: Digital signature