On Sep 12, 2011, at 12:04, Bastian Blank wrote: > On Mon, Sep 12, 2011 at 10:56:05AM -0400, Kyle Moffett wrote: >> Specifically, my patch allows you enable both password and public-key auth, >> by preseeding both a password and the authorized_keys URL. If you don't >> want to enable password authentication, you can preseed "password-disabled" >> instead. > > Please explain the use for this. > > Anyway. Please append the key to the initrd instead of using another > insecure transport. Or are you prepared to actually check the validity > of the keys?
Bastian, The intent of this is that the virtualization system provides an HTTP service on 169.254.169.254 which is unique for each and every VM. The traffic goes directly to the management plane; it is unspoofable and unsnoopable, so it just as secure as the virtual hard disks that you install onto. Certain provisioning metadata (such as public user SSH keys) can be obtained from that HTTP server, EG: http://169.254.169.254/2007-09-19/meta-data/public-keys/0/openssh-key So the intent is to be able to preseed that URL (which is always the same value for Amazon EC2 and possibly other virtualization systems) into the Debian-Installer. That allows me to start up virtual installers with different security parameters using the native EC2 provisioning tools, without having to upload a new image each time. I assume that if your initramfs includes HTTPS support then you could also use a secured HTTPS URL, but that's unnecessary for the virtual infrastructure use-case. Cheers, Kyle Moffett -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/9287723b-6e49-4e3e-997b-9e7f0150c...@boeing.com
