[Infrastructures] Distributing private key information at install time
Willemse, Menno
Menno.Willemse@johnguest.co.uk
Mon, 2 Oct 2006 17:07:29 +0100
Hello World,
Here's a problem that I'm sure some of the larger sites have solved already, and that just isn't irritating enough for me to solve it here and now due to a lack of circular tuits. Since there is an infrastructure angle to this, I decided to post it here.
Whenever I reinstall a machine, I set up secure shell on the box, and every time it will run ssh-keygen to make host keys. And then SSH gets all annoyed at me because the host key has changed and I have to remove it from known_hosts to assure SSH that it's allright really. Not just me, actually. Everybody has to do that for each name under which they ever accessed the box. So what you really need is a way to restore the original host keys, so that all the ssh clients will have the correct information already.
This always gets me thinking: Is there a cryptographically sound way to restore the key information to the client from a file on the install server? You can't get it from an NFS server. My first instinct is to create an install image with a known private key, and to trust that key to fetch the real key at install time. But this is obviously vulnerable to the install image's key being stolen. It needs to be on an NFS server as I use NIM for AIX. For Linux, it's FAI.
Now I know that the only truly secure method is to carry the key over to the machine in question on a floppy and then burn the floppy, but I'm willing to settle for "Reasonably Secure", as long as the whole method is hands-off. I may not have that many Unix boxes now, but we may get a lot of Linux workstations in the future.
What is everybody else doing?
Cheers,
Menno Willemse
--
Menno Willemse - John Guest IT Department
Tel: 01895-449233 ext 290 Email: menno.willemse@johnguest.co.uk
You know it's Enterprise Software when the vendor freebie is a red shirt.
-- AdB - Usenet
Internet communications are not secure and therefore John Guest companies do not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of John Guest companies.