RFC: User login management through Jumpstart.
Welcome to the dynamic world of Jumpstart where any machine can be
re-installed at any time!
In the next few days most of you may be asked to login to the newly
staged machins, in order to perform some tests and
trouble-shooting.
In order to allow users to login right after installation, I
suggest
to keep the necessary authentication data on the Jumpstart
server, and re-distribute them automatically at the final phase of host
staging.
Jumpstart server is usually considered a public area, therefore, such
user authentication data should not contain any private information
like UNIX passwords (even
the encrypted hashes), or private keys (even encrypted with non-zero
passphrase)
/etc/passwd entries (without password hashes) and ssh public keys
should be sufficient to generate an adequate user login environment on
newly installed machines.
One of the most popular ssh clients is "putty".
Unfortunately, exporting the putty-generated keypairs into UNIX
environment (to openssh or ssh.com's tectia) is much more
difficult than
importing openssh-generated keys into Putty.
Therefore I am asking those who use putty, to generate a public/private
kaypair on any UNIX-like host (Solaris, Linux, AIX, cygwin),
using "ssh-keygen"
program provided with openssh:
login with your user
credentials (no su/sudo!)
mkdir -p $HOME/.ssh
/usr/bin/ssh-keygen -t dsa -f
$HOME/.ssh/id_dsa_4_Jumpstart
# Enter the
passphrase twice. A long one. No empty passphrases please!
cd $HOME/.ssh
cat
id_dsa_4_Jumpstart.pub # Copy/paste it and send to
me by mail
cat
id_dsa_4_Jumpstart
# Learn it by heart and destroy
Allright, the private key can be copied (copy/paste is OK) to you PC
where you use Putty, and then imported into putty format using
"puttygen.exe". Still, don't forget to destroy all extra copies of the
private key, and keep this only copy in a safe place (encrypted USB
stick, for instance)
Tell Putty to use this private key every time you log in to
Jumpstart-generated machines.
For those who don't use putty, please just send me the public keys,
anyway.