Based on a cursory look at how FAI works, if you're worried about a 'laptop attack' -- i.e, an untrusted person with access to your network media -- I think there are more problems than just SSH keys.
None of the tftp/dhcp/pxe stuff is really designed with security in mind. It seems to me that anyone could compromise an initial install by messing with the boot process. Noisy, but do-able.
[Unless I've misunderstood the threat model you're positing here]
From this point of view, I can see no reason not to just jigger a fixed host key for the initial install, followed by a keychange over SSH. Mark's suggestion also seemed good.
Regards,
Blair.
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
