subject:"\[cobbler\] Re\: Sending keys\/files to deployed hosts"

[cobbler] Re: Sending keys/files to deployed hosts

2016-11-07 Thread Tyler Wilson

Hey All,

I finally got this working, it was a bit tricky getting sshd to stay open
and allow connections in the Ubuntu preseed environment. Here is what
worked for me;

d-i preseed/late_command string in-target wget
http://$http_server/xenial-sources.list
-O /etc/apt/sources.list ; \
   mkdir -p /target/root/.ssh ; \
   chmod 600 /target/root/.ssh ; \
   echo 'ssh-rsa $COBBLER_PUBLIC_KEY cobbler' >
/target/root/.ssh/authorized_keys ; \
   wget -O- http://$http_server/sshd.sh | chroot /target /bin/bash -s ; \
   wget -O- 
http://$http_server/cblr/svc/op/script/$what/$name/?script=preseed_late_default
| chroot /target /bin/bash -s ; \
   in-target killall /usr/sbin/sshd ;

sshd.sh is;

[root@cobbler ~]# cat /var/www/html/sshd.sh
mkdir -p /var/run/sshd
chmod 0755 /var/run/sshd
ssh-keygen -f /root/.ssh/id_rsa -t rsa -N ''
(/usr/sbin/sshd -D &)

Hope this helps others.

On Wed, Nov 2, 2016 at 3:52 PM, Tyler Wilson  wrote:

> Hello,
>
> Thank you for the replies! I tried to replicate your setup with the
> following;
>
> [root@cobbler ~]# cat /var/lib/cobbler/triggers/install/post/chef-key.sh
> #!/bin/bash
> /usr/bin/scp -i /root/.ssh/id_rsa -o "StrictHostKeyChecking no" -p
> /root/chef.key ${3}:/root/chef.key
>
> Using Ubuntu 16.04 preseed with the following post install commands;
>
> d-i preseed/late_command string in-target /usr/bin/ssh-keygen -f
> /root/.ssh/id_rsa -t rsa -N '' ; \
>echo 'ssh-rsa $COBBLER_PUBLIC_KEY cobbler' >
> /target/root/.ssh/authorized_keys ; \
>mkdir -p /target/var/run/sshd ; \
>in-target /usr/sbin/sshd ; \
>wget -O- 
> http://$http_server/cblr/svc/op/script/$what/$name/?script=preseed_late_default
> | chroot /target /bin/sh -s ; \
>in-target wget http://$http_server/xenial-sources.list -O
> /etc/apt/sources.list ;
>
> However I am getting a lost connection whenever it tries to run the post
> trigger;
>
> Tue Nov  1 23:41:58 2016 - DEBUG | running shell triggers from
> /var/lib/cobbler/triggers/install/post/*
> Tue Nov  1 23:41:58 2016 - DEBUG | running shell trigger
> /var/lib/cobbler/triggers/install/post/chef-key.sh
> Tue Nov  1 23:41:58 2016 - INFO | running: 
> ['/var/lib/cobbler/triggers/install/post/chef-key.sh',
> 'system', 'cobbler-test', '192.168.1.50']
> Tue Nov  1 23:42:13 2016 - INFO | received on stdout:
> Tue Nov  1 23:42:13 2016 - DEBUG | received on stderr:
> ssh_exchange_identification: read: Connection reset by peer
> lost connection
>
> I inserted a sleep after the final post command and I could manually run
> the scp command fine while the system was still in the "running preseed"
> stage.
>
> [root@cobbler ~]# /var/lib/cobbler/triggers/install/post/chef-key.sh
> system cobbler-test 192.168.1.50
> ...
> Add correct host key in /root/.ssh/known_hosts to get rid of this message.
> Offending ECDSA key in /root/.ssh/known_hosts:1
> Password authentication is disabled to avoid man-in-the-middle attacks.
> Keyboard-interactive authentication is disabled to avoid man-in-the-middle
> attacks.
> chef.key
>
> 100% 1679 1.6KB/s   00:00
>
> Thanks for your help!
>
> On Wed, Oct 26, 2016 at 6:51 PM, Orion Poplawski 
> wrote:
>
>> On 10/25/2016 09:49 PM, Tyler Wilson wrote:
>>
>>> Hey All,
>>>
>>> New Cobbler user here. What is the best method of ensuring deployed
>>> nodes have sensitive keys (chef keys, ssh, etc) securely uploaded when
>>> completed? Am I able to send them securely from the cobbler host somehow?
>>>
>>> Thanks for any and all tips!
>>>
>>
>> I fire up sshd on my target system in %post:
>>
>> #  Create temporary host key(s)
>> #   EL7
>> /usr/sbin/sshd-keygen
>> #   Fedora
>> /usr/libexec/openssh/sshd-keygen rsa
>> #  Start sshd so that we can copy over the ansible key in the cobbler
>> post trigger
>> /usr/sbin/sshd
>>
>> Then I have a cobbler install trigger copy the ssh key over:
>>
>> # cat /var/lib/cobbler/triggers/install/post/ansible_key
>> #!/bin/bash
>> [ "$1" = system ] &&
>>   /usr/bin/scp -i /root/.ssh/id_rsa_cobbler -o "StrictHostKeyChecking no"
>> -p /root/.ssh/id_rsa_ansible ${2}:/root/.ssh/id_rsa_ansible
>>
>>
>> I suppose someone could the activate the trigger directly and receive the
>> key, but this is the best that I was able to come up with.
>>
>>
>> --
>> Orion Poplawski
>> Technical Manager 303-415-9701 x222
>> NWRA/CoRA DivisionFAX: 303-415-9702
>> 3380 Mitchell Lane  or...@cora.nwra.com
>> Boulder, CO 80301  http://www.cora.nwra.com
>>
>> ___
>> cobbler mailing list -- cobbler@lists.fedorahosted.org
>> To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org
>>
>
>
___
cobbler mailing list -- cobbler@lists.fedorahosted.org
To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org

[cobbler] Re: Sending keys/files to deployed hosts

2016-11-02 Thread Tyler Wilson

Hello,

Thank you for the replies! I tried to replicate your setup with the
following;

[root@cobbler ~]# cat /var/lib/cobbler/triggers/install/post/chef-key.sh
#!/bin/bash
/usr/bin/scp -i /root/.ssh/id_rsa -o "StrictHostKeyChecking no" -p
/root/chef.key ${3}:/root/chef.key

Using Ubuntu 16.04 preseed with the following post install commands;

d-i preseed/late_command string in-target /usr/bin/ssh-keygen -f
/root/.ssh/id_rsa -t rsa -N '' ; \
   echo 'ssh-rsa $COBBLER_PUBLIC_KEY cobbler' >
/target/root/.ssh/authorized_keys ; \
   mkdir -p /target/var/run/sshd ; \
   in-target /usr/sbin/sshd ; \
   wget -O- 
http://$http_server/cblr/svc/op/script/$what/$name/?script=preseed_late_default
| chroot /target /bin/sh -s ; \
   in-target wget http://$http_server/xenial-sources.list -O
/etc/apt/sources.list ;

However I am getting a lost connection whenever it tries to run the post
trigger;

Tue Nov  1 23:41:58 2016 - DEBUG | running shell triggers from
/var/lib/cobbler/triggers/install/post/*
Tue Nov  1 23:41:58 2016 - DEBUG | running shell trigger
/var/lib/cobbler/triggers/install/post/chef-key.sh
Tue Nov  1 23:41:58 2016 - INFO | running:
['/var/lib/cobbler/triggers/install/post/chef-key.sh', 'system',
'cobbler-test', '192.168.1.50']
Tue Nov  1 23:42:13 2016 - INFO | received on stdout:
Tue Nov  1 23:42:13 2016 - DEBUG | received on stderr:
ssh_exchange_identification: read: Connection reset by peer
lost connection

I inserted a sleep after the final post command and I could manually run
the scp command fine while the system was still in the "running preseed"
stage.

[root@cobbler ~]# /var/lib/cobbler/triggers/install/post/chef-key.sh system
cobbler-test 192.168.1.50
...
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle
attacks.
chef.key

100% 1679 1.6KB/s   00:00

Thanks for your help!

On Wed, Oct 26, 2016 at 6:51 PM, Orion Poplawski 
wrote:

> On 10/25/2016 09:49 PM, Tyler Wilson wrote:
>
>> Hey All,
>>
>> New Cobbler user here. What is the best method of ensuring deployed
>> nodes have sensitive keys (chef keys, ssh, etc) securely uploaded when
>> completed? Am I able to send them securely from the cobbler host somehow?
>>
>> Thanks for any and all tips!
>>
>
> I fire up sshd on my target system in %post:
>
> #  Create temporary host key(s)
> #   EL7
> /usr/sbin/sshd-keygen
> #   Fedora
> /usr/libexec/openssh/sshd-keygen rsa
> #  Start sshd so that we can copy over the ansible key in the cobbler post
> trigger
> /usr/sbin/sshd
>
> Then I have a cobbler install trigger copy the ssh key over:
>
> # cat /var/lib/cobbler/triggers/install/post/ansible_key
> #!/bin/bash
> [ "$1" = system ] &&
>   /usr/bin/scp -i /root/.ssh/id_rsa_cobbler -o "StrictHostKeyChecking no"
> -p /root/.ssh/id_rsa_ansible ${2}:/root/.ssh/id_rsa_ansible
>
>
> I suppose someone could the activate the trigger directly and receive the
> key, but this is the best that I was able to come up with.
>
>
> --
> Orion Poplawski
> Technical Manager 303-415-9701 x222
> NWRA/CoRA DivisionFAX: 303-415-9702
> 3380 Mitchell Lane  or...@cora.nwra.com
> Boulder, CO 80301  http://www.cora.nwra.com
>
> ___
> cobbler mailing list -- cobbler@lists.fedorahosted.org
> To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org
>
___
cobbler mailing list -- cobbler@lists.fedorahosted.org
To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org

[cobbler] Re: Sending keys/files to deployed hosts

2016-10-26 Thread Orion Poplawski


On 10/25/2016 09:49 PM, Tyler Wilson wrote:

Hey All,

New Cobbler user here. What is the best method of ensuring deployed
nodes have sensitive keys (chef keys, ssh, etc) securely uploaded when
completed? Am I able to send them securely from the cobbler host somehow?

Thanks for any and all tips!


I fire up sshd on my target system in %post:

#  Create temporary host key(s)
#   EL7
/usr/sbin/sshd-keygen
#   Fedora
/usr/libexec/openssh/sshd-keygen rsa
#  Start sshd so that we can copy over the ansible key in the cobbler 
post trigger

/usr/sbin/sshd

Then I have a cobbler install trigger copy the ssh key over:

# cat /var/lib/cobbler/triggers/install/post/ansible_key
#!/bin/bash
[ "$1" = system ] &&
  /usr/bin/scp -i /root/.ssh/id_rsa_cobbler -o "StrictHostKeyChecking 
no" -p /root/.ssh/id_rsa_ansible ${2}:/root/.ssh/id_rsa_ansible



I suppose someone could the activate the trigger directly and receive 
the key, but this is the best that I was able to come up with.



--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA/CoRA DivisionFAX: 303-415-9702
3380 Mitchell Lane  or...@cora.nwra.com
Boulder, CO 80301  http://www.cora.nwra.com
___
cobbler mailing list -- cobbler@lists.fedorahosted.org
To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org

[cobbler] Re: Sending keys/files to deployed hosts

2016-10-26 Thread Matt Luettgen

Look into koan, --template-files and --update-files
Http://fedorahosted.org/cobbler/wiki//BuiltinConfigManagement

On Oct 25, 2016 10:50 PM, "Tyler Wilson"  wrote:

> Hey All,
>
> New Cobbler user here. What is the best method of ensuring deployed nodes
> have sensitive keys (chef keys, ssh, etc) securely uploaded when completed?
> Am I able to send them securely from the cobbler host somehow?
>
> Thanks for any and all tips!
>
> ___
> cobbler mailing list -- cobbler@lists.fedorahosted.org
> To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org
>
>
___
cobbler mailing list -- cobbler@lists.fedorahosted.org
To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org

[cobbler] Re: Sending keys/files to deployed hosts

2016-10-26 Thread William Muriithi

Hi Tyler,

In your kickstart file, create a post install step that set up a management 
account called chef and also upload chef ssh authorization key

You can then push any sensitives file to the deployed system using ssh tunnel 
between chef and system x at account chef

Regards,

William

From: Tyler Wilson [mailto:k...@linuxdigital.net]
Sent: October-25-16 11:49 PM
To: cobbler@lists.fedorahosted.org
Subject: [cobbler] Sending keys/files to deployed hosts

Hey All,

New Cobbler user here. What is the best method of ensuring deployed nodes have 
sensitive keys (chef keys, ssh, etc) securely uploaded when completed? Am I 
able to send them securely from the cobbler host somehow?

Thanks for any and all tips!
___
cobbler mailing list -- cobbler@lists.fedorahosted.org
To unsubscribe send an email to cobbler-le...@lists.fedorahosted.org

[cobbler] Re: Sending keys/files to deployed hosts

[cobbler] Re: Sending keys/files to deployed hosts

[cobbler] Re: Sending keys/files to deployed hosts

[cobbler] Re: Sending keys/files to deployed hosts

[cobbler] Re: Sending keys/files to deployed hosts

5 matches

Site Navigation

Mail list logo

Footer information