On Sat, Oct 30, 2004 at 12:37:31AM +0200, martin f krafft wrote: > also sprach Craig Sanders <[EMAIL PROTECTED]> [2004.10.30.0015 +0200]: > > 3. when a machine is being built or rebuilt, install the correct > > ssh keys in /etc/ssh. they can be fetched via password-protected > > http or https or ftp or even tftp, then decrypted and untarred. > > since they're encrypted you don't have to be completely paranoid > > about them - normal security precautions are adequate. > > well, the decryption requires a password, so the installation is not > unattended anymore. since we have a number of headless number > crunchers in the cluster, this is essential.
you could do it without the encryption and pass-phrase (or write an expect type script but that would require putting the pass-phrase in plaintext in the script, which defeats the purpose of having a password), but then you'd have to be much more careful about access to the key files. > i am beginning to believe that i am looking for a solution where non > exists... you probably wont get it completely automated if you care about security of the ssh keys. mostly automated with some manual intervention is the best you can expect. of course, you can be a bit looser with with keys if you're confident that physical access to the machines AND to the network segment they are on is properly restricted, AND you have firewall or other access rules to prevent external machines from fetching the key files. craig -- craig sanders <[EMAIL PROTECTED]> (part time cyborg) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
