Computer infrastructure architecture discussion

Willemse, Menno | 2 Oct 2006 18:07

Distributing private key information at install time

Hello World,

Here's a problem that I'm sure some of the larger sites have solved already, and that just isn't irritating
enough for me to solve it here and now due to a lack of circular tuits. Since there is an infrastructure angle
to this, I decided to post it here.

Whenever I reinstall a machine, I set up secure shell on the box, and every time it will run ssh-keygen to make
host keys. And then SSH gets all annoyed at me because the host key has changed and I have to remove it from
known_hosts to assure SSH that it's allright really. Not just me, actually. Everybody has to do that for
each name under which they ever accessed the box. So what you really need is a way to restore the original
host keys, so that all the ssh clients will have the correct information already.

This always gets me thinking: Is there a cryptographically sound way to restore the key information to the
client from a file on the install server? You can't get it from an NFS server. My first instinct is to create
an install image with a known private key, and to trust that key to fetch the real key at install time. But
this is obviously vulnerable to the install image's key being stolen. It needs to be on an NFS server as I use
NIM for AIX. For Linux, it's FAI.

Now I know that the only truly secure method is to carry the key over to the machine in question on a floppy and
then burn the floppy, but I'm willing to settle for "Reasonably Secure", as long as the whole method is
hands-off. I may not have that many Unix boxes now, but we may get a lot of Linux workstations in the future.

What is everybody else doing?

Cheers,
   Menno Willemse

--

-- 
Menno Willemse - John Guest IT Department
Tel: 01895-449233 ext 290 Email: menno.willemse <at> johnguest.co.uk

(Continue reading)

headers

Daniel Clark | 4 Oct 2006 02:34

Re: Distributing private key information at install time

On 10/2/06, Willemse, Menno <Menno.Willemse <at> johnguest.co.uk> wrote:
> Hello World,
>
> Here's a problem that I'm sure some of the larger sites have solved already, and that just isn't irritating
enough for me to solve it here and now due to a lack of circular tuits. Since there is an infrastructure angle
to this, I decided to post it here.
>
> Whenever I reinstall a machine, I set up secure shell on the box, and every time it will run ssh-keygen to
make host keys. And then SSH gets all annoyed at me because the host key has changed and I have to remove it
from known_hosts to assure SSH that it's allright really. Not just me, actually. Everybody has to do that
for each name under which they ever accessed the box. So what you really need is a way to restore the original
host keys, so that all the ssh clients will have the correct information already.
>
> This always gets me thinking: Is there a cryptographically sound way to restore the key information to the
client from a file on the install server? You can't get it from an NFS server. My first instinct is to create
an install image with a known private key, and to trust that key to fetch the real key at install time. But
this is obviously vulnerable to the install image's key being stolen. It needs to be on an NFS server as I use
NIM for AIX. For Linux, it's FAI.
>
> Now I know that the only truly secure method is to carry the key over to the machine in question on a floppy and
then burn the floppy, but I'm willing to settle for "Reasonably Secure", as long as the whole method is
hands-off. I may not have that many Unix boxes now, but we may get a lot of Linux workstations in the future.
>
> What is everybody else doing?

This is one one of the main plugins system example cases for the Bcfg2
(http://www.bcfg2.org) configuration management system.

"[This problem] makes the ideal case for the plugin interface, since
(a) all admins know the problem well, and (b) can easily envision a

(Continue reading)

headers

Wesley Craig | 3 Oct 2006 02:53

Re: Distributing private key information at install time

On 02 Oct 2006, at 12:07, Willemse, Menno wrote:
> This always gets me thinking: Is there a cryptographically sound  
> way to restore the key information to the client from a file on the  
> install server?

We give admins boot CDs which contain an individualized key which  
expires.  The admin can burn this CD with a short expiration many  
times, if they happen to be installing a large number of machines.   
Typically they carry a CD with a longer term key with them, for  
troubleshooting.  The key on the CD identifies the admin to the  
centralized server(s), so they are allowed to retrieve the ssh key  
files (among other things) that they're responsible for.  Down side  
of the system is that CDs might be stolen.

:wes

headers

Daniel Hagerty | 2 Oct 2006 20:20

Distributing private key information at install time

 > Whenever I reinstall a machine, I set up secure shell on the box,
 > and every time it will run ssh-keygen to make host keys. And then
 > SSH gets all annoyed at me because the host key has changed and I
 > have to remove it from known_hosts to assure SSH that it's allright
 > really. Not just me, actually. Everybody has to do that for each
 > name under which they ever accessed the box. So what you really
 > need is a way to restore the original host keys, so that all the
 > ssh clients will have the correct information already.

    Well, there's a different problem that you have some chance of
running into: what do you do if you're regenerating a key because a
machine was compromised?  You really do want to burn the old key at
that point.

    You want to centralize the ssh_known_hosts file for your site to
the /etc version.  Ssh provides some tools for doing this, although
what they give you isn't quite a 100% solution.  Take a look at
ssh-keyscan.