Re: Headless "rescue" CD that's Debian based.

To: debian-user@lists.debian.org
Subject: Re: Headless "rescue" CD that's Debian based.
From: "Karsten M. Self" <kmself@ix.netcom.com>
Date: Tue, 11 Jan 2005 04:01:14 -0800
Message-id: <[🔎] 20050111120114.GO15346@localhost>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20050111043706.80817.qmail@web90101.mail.scd.yahoo.com>
References: <[🔎] 20050111043706.80817.qmail@web90101.mail.scd.yahoo.com>

on Mon, Jan 10, 2005 at 08:37:06PM -0800, ridge (ridge236@yahoo.com) wrote:
> Hello all,
> 
> I'm casting about for suggestions or recommendations for a
> Debian-based "rescue" CD that would be appropriate for maintenance of
> a "headless" machine--i.e., one with no monitor, keyboard or mouse.

How about KVM (possibly networked) or serial console?  These increase
your flexibility markedly.

> The machine is configured to boot from CD if one is available, so it
> should be a matter of just popping the CD in the drive and flipping a
> switch. All hardware detection needs to be automatic, and done without
> any user intervention, of course, as none is really possible. No video
> card detection is needed, since there's no video. Neither is X needed.

> The other requirement is that the CD provide root access over ssh,
> either directly or through sudo. 
> 
> Any thoughts? I've looked through the standard Knoppix/Mepis/Ubuntu,
> but most of them are obviously not engineered with this task in mind.
> There must be something that is, right?

Think about this for a moment:

  - You want to boot removable media.
  - You want to provide (presumably authenticated) networked services
    from same.

There's some pretty clear reasons why this can't be done on a general
basis.  Namely:  every version of the bootable system would have the
same authentication tokens.  E.g.:  same password.  "But it's just a
Knoppix (or foo...) system", you say?  Well, yeah.  But underneath
Knoppix is the disk of the system being rescued or used, including all
data on it.  Would be a huge security issue.

Most bootable disks are readily modified, with documentation describing
how to do this (Knoppix and LNX-BBC would be good starting points).
What you need to do is:

  - Copy your public SSH key to the account(s) you wish to remotely
    access.  This means you *can* access the system, but other users
    can't.  That's $HOME/.ssh/authorized_keys.  Make sure you get
    permissions straight.

  - Check the SSH configuration and ensure it allows RSAkey, but *not*
    password, authentication.

  - Modify sysvinit to run sshd by default at boot.

  - Test the configuration.

That should give you a system that boots, finds network (provided a DHCP
server), and allows SSH connections from a known key.  All in all,
pretty secure.

Of course, you're limiting access to a single key, if you don't have the
private part of the keypair, you're SOL.

Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
    Economics doesn't change ethics.  It makes giving up hypocrisy cheaper.
    - Stephen J. Turnbull

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Headless "rescue" CD that's Debian based.
  - From: Nate Bargmann <n0nb@networksplus.net>
- Re: Headless "rescue" CD that's Debian based.
  - From: Jon Dowland <jon-dowland@ncl.ac.uk>

References:
- Headless "rescue" CD that's Debian based.
  - From: ridge <ridge236@yahoo.com>

Prev by Date: APT ( cdrom ftp http?)
Next by Date: Can Debian stable support the Adaptec Zero Channel RAID 2005S?
Previous by thread: Headless "rescue" CD that's Debian based.
Next by thread: Re: Headless "rescue" CD that's Debian based.
Index(es):
- Date
- Thread