Re: server host keys for kvm clones

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/04/2012 08:14 PM, Ed Heron wrote:
>   Is there a process for pre-generating keys so these keys
> and .ssh/known_hosts can be pre-filled for all users/hosts?

yes there is..

look at the sshd initscript, and poke the do_*_keygen functions; they
will tell you exactly what happens when those keys are auto-build on
first boot, or when someone removes them.

I use config-management tools in the kickstart %post to drop in
pre-built keys, that also means my management infrastructure already
knows what key-signature to expect on a remote machine when it boots for
the first time and I can do some level of trust management based on
that. Keep in mind that you need to have your provisioning happen in a
fairly secure environment itself, if you are going to add trust points
on signatures like this - specially if they are 'generated' on demand.

-- 
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
ICQ: 2522219    | Yahoo IM: z00dax      | Gtalk: z00dax
GnuPG Key : http://www.karan.org/publickey.asc
_______________________________________________
CentOS-virt mailing list
CentOS-virt@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos-virt


[Index of Archives]     [CentOS Users]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [X.org]     [Xfree86]     [Linux USB]

  Powered by Linux