SSH
From SystemImager
Contents |
Image deployment over insecure network (SSH transport)
IMPORTANT: this HOWTO has been written and tested only with systemimager-3.8.0 or greater.
Image server configuration
- Uncomment the following 2 lines in /etc/systemimager/rsync_stubs/10header:
#hosts allow = 127.0.0.1 #hosts deny = 0.0.0.0/0
- Re-run si_mkrsyncd_conf:
# si_mkrsyncd_conf
- Restart the rsync daemon:
# /etc/init.d/systemimager-server-rsyncd restart
In this way connections to the rsync exported images will be forbidden except from localhost (this will be used by sshd after the SSL tunnel will be opened).
Client-driven approch
Create the SSH boot package
First of all you need to create a boot package (kernel + initrd.img) and include the SSH private key directly into the initrd.img. For this the boot over PXE is strongly discouraged in this case, because kernel and initrd.img are not encrypted during the transmission to the clients with TFTP.
To create the boot package with BOEL run the following command:
# mkdir /tmp/boot-package # si_mkbootpackage --destination /tmp/boot-package --kernel /usr/share/systemimager/boot/i386/standard/kernel --filesystem cramfs --ssh-key ~foo/.ssh/id_dsa --yes
Remember to replace i386 with the architecture of your clients to get the correct kernel (e.g. x86_64).
Or if you want to use UYOK:
# mkdir /tmp/boot-package # si_mkbootpackage --destination /tmp/boot-package --image <YOUR_IMAGE> --ssh-key ~foo/.ssh/id_dsa --yes
This command will create the boot package in /tmp/boot-package and it will include the SSH private key of the user "foo" into the initrd. To enable the passwordless login for for the user "foo" run the command:
$ cat ~foo/.ssh/id_dsa.pub >> ~foo/.ssh/authorized_keys
In a similar way you can also use the --ssh-key with si_prepareclient in your golden client. In this case you don't need to create the boot package in your image server, simply use kernel + initrd.img generated by si_prepareclient.
Configure the clients to use the SSH transport
- Create an autoinstall CD with the following command:
# si_mkautoinstallcd --out-file /tmp/boot-package/systemimager.iso --kernel /tmp/boot-package/kernel --initrd /tmp/boot-package/initrd.img --append "MONITOR_SERVER=172.16.36.1 MONITOR_CONSOLE=yes SKIP_LOCAL_CFG=y SSH=y"
Remember to replace the address of your monitor server (if you want to use it) and add all the needed Installation Parameters.
- If you prefer to use an auto-install USB drive, instead of a CD run:
# si_mkautoinstalldisk --device <YOUR_USB_DEVICE> --kernel /tmp/boot-package/kernel --initrd /tmp/boot-package/initrd.img --append "MONITOR_SERVER=172.16.36.1 MONITOR_CONSOLE=yes SKIP_LOCAL_CFG=y SSH=y" --yes
Boot the clients with the autoinstall CD / USB drive (PXE is not recommended with client-driven SSH)
...and enjoy the secure auto-installation! ;-)
Server-driven approach
Create the SSH boot package
As well as client-driven approach also the server-driven way needs the creation of a client boot package. In this case instead of including the SSH private key (used to connect to the image server), we must include the authorized_keys file, because it's the image server that will open the SSH tunnels to the clients.
To create a boot package with BOEL run the following command on your image server:
# mkdir /tmp/boot-package # si_mkbootpackage --destination /tmp/boot-package --kernel /usr/share/systemimager/boot/i386/standard/kernel --filesystem cramfs --authorized-keys ~foo/.ssh/id_dsa.pub --yes
Remember to replace i386 with the architecture of your clients to get the correct kernel (e.g. x86_64).
Or with UYOK:
# mkdir /tmp/uyok-boot-package # si_mkbootpackage --destination /tmp/boot-package --image <YOUR_IMAGE> --authorized-keys ~foo/.ssh/id_dsa.pub --yes
After that you will find the kernel+initrd.img to be used for the imaging into the destination directory (/tmp/boot-package).
The kernel+initrd.img need to be used by whatever mechanism you plan to boot your clients. For instance if you are tftpbooting, those files need to overwrite the existing ones in /tftpboot (or wherever your tftproot is).
Configure the clients to use the SSH transport
Be sure to define the SSH=y installation parameter (for more details see: Installation Parameters).
IMPORTANT: server-driven approach is the most secure way to deploy images on the clients, because they never access directly to the image server. For this reason you can forbid every kind of access to the image server (using hosts deny policy or via iptables or using your preferred firewall...).
Moreover, since you have to distribute only a public key to the clients, you can ignore the warning of the client-driven approach to not use boot over PXE: in this case the initrd.img doesn't contain private informations and it can be transmitted unencrypted without problems!
Wait that the clients become ready to accept SSH connection
Wait for the following message, that must appear on the clients console:
Started sshd. You must now go to your imageserver and issue
the following command:
si_pushinstall --hosts ${HOST_OR_IP}.
If you are not able to physically watch the clients console you can use Monitoring features and check this message from the SystemImager virtual console.
The message above means that the clients are ready to accept SSH connection from the image server, so just run the command suggested on the console.
You can use also host ranges with si_pushinstall to open all the SSH tunnels in a single shot. For example if you have to image from node01 up to node20 run:
# si_pushinstall --hosts node01-node020
Boot the clients with the autoinstall CD / USB drive or via PXE
...and enjoy the secure auto-installation! ;-)
How to start a sshd on the imaging clients
Include the file of the authorized keys into the boot package to enable the passwordless login. To create a boot package with the BOEL kernel run:
# si_mkbootpackage --destination /tftpboot --kernel /usr/share/systemimager/boot/i386/standard/kernel --filesystem cramfs --authorized-keys $HOME/.ssh/id_dsa.pub --yes
Or with UYOK:
# si_mkbootpackage --destination /tftpboot --image <YOUR_IMAGE> --authorized-keys $HOME/.ssh/id_dsa.pub
Define the SSHD=y in /etc/systemimager/pxelinux.cfg/syslinux.cfg (see Installation Parameters).
Boot your clients via PXE or if you prefer to use an auto-install USB drive run:
# si_mkautoinstalldisk --device <YOUR_USB_DEVICE> --kernel /tftpboot/kernel --initrd /tftpboot/initrd.img --append "SSHD=y"
If you want to use an auto-install CD:
# si_mkautoinstallcd --out-file /tmp/systemimager.iso --kernel /tftpboot/kernel --initrd /tftpboot/initrd.img --append "SSHD=y"
IMPORTANT: remember that a temporary SSH key will be used during the imaging of the clients. If you login in the client the fingerprint of the host key will be added in the $HOME/.ssh/known_hosts of your source machine. When the machine reboots you will lose this key, a new host key will be regenerated and you will get and error like the following at the next ssh attempt to the clients:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:18 RSA host key for xxx.xxx.xxx.xxx has changed and you have requested strict checking. Host key verification failed.
To obviate this problem you can use the UserKnownHostsFile and StrictHostKeyChecking options to login into the clients during the imaging:
# ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no <IP_of_the_client>
