[Infrastructures] Distributing private key information at install time

[Willemse, Menno]

Hello World,

Thanks to all those who responded. The prevailing wisdom seems to be that you use a boot CD with a temporary key to do the re-install, or that you somehow keep the old keys on the system where they won't be erased by the reinstall. A different hard disk was suggested, but a USB key, floppy or a CD would probably work just as well. All of these methods are of course sensitive to the media being stolen, but that's something we'll just have to live with.

I think I'll set things up so that the install image has a key in that allows you to get the proper key from the install server. The installation image will only be NFS-exported to the machines that need it, as long as they need it. This will lead to exposure while the machine downloads its install images, but so be it.

I'll also have a good look at ssh-keyscan and centralising the known_hosts file. That may be another way around this problem: after a reinstall, scan the box' host key and have all other machines pull down the file on a regular basis.

Cheers,
Menno 

-- 
Menno Willemse - John Guest IT Department
Tel: 01895-449233 ext 290 Email: menno.willemse@johnguest.co.uk
There is no Cabal.

Internet communications are not secure and therefore John Guest companies do not accept legal responsibility for the contents of this message.  Any views or opinions presented are solely those of the author and do not necessarily represent those of John Guest companies.