[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cobbler
Subject:    slightly OT - preserving ssh keys
From:       mdehaan () redhat ! com (Michael DeHaan)
Date:       2009-01-29 17:16:02
Message-ID: 4981E452.1040004 () redhat ! com
[Download RAW message or body]

Douglas Wade Needham wrote:
> Quoting Michael DeHaan (mdehaan at redhat.com):
>   
>>> Tom Brown schrieb:
>>>       
>>>> We use cobbler to build a pretty stateless farm that can be rebuilt 
>>>> pretty fluidly pretty much all the time as you'd expect. I have however 
>>>> never really come up with a great way to preserve ssh keys so that the 
>>>> id does not change when the box gets rebuilt.
>>>>
>>>> Does anyone have any ideas on how to achieve this?
>>>>         
>
> I have a snippet which in %pre pulls down either a tarball previously
> saved from the machine, or a more generic one for the location (our
> data center at work, or my machines at home).  Then I put it into
> place later in the %post steps.  It is not 100% secure at the moment,
> as you just have to be able to guess the name of the tarball, along
> with knowing the way the URL is constructed.  And then there is the
> fact that you have to be on the non-forwarding network on which these
> machines reside (or to which access to these files are restricted via
> a .htaccess rule).  But on my TODO list is to have it handed out by a
> CGI script which looks at things such as the MAC and/or IP address and
> hostname passed to it, and then sends the correct file.  If there is
> interest on the list, I can easily share my snippet.
>   

You can get the IP address of the requester pretty easily. MAC data is 
only transmitted when "kssendmac" is on the kernel options line and 
that's distro specific,
and then it's only used when requesting the kickstart.

The other thing I can think of "the way the URL is constructed" is 
probably accessible based on the cobbler metadata and being able to see 
the kickstart file.

However providing a way that only allows the system to read the ks file 
if the ip matches /could/ yield something interesting, even though that 
can be spoofed and such.

Something worth exploring?



> - Doug
> _______________________________________________
> cobbler mailing list
> cobbler at lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/cobbler
>   



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic