On Sat, Jul 13, 2002 at 01:11:10PM +0200, Andreas Schockenhoff wrote: > I have done this after every make-fai-nfsroot. > cp /usr/lib/fai/nfsroot/root/.ssh/id_dsa.pub /home/fai/.ssh/authorized_keys > cp /etc/ssh/ssh_host_dsa_key.pub /usr/lib/fai/nfsroot/root/.ssh/ if you use the PFAI version of make-fai-nfsroot, you wouldn't have to do this; because in this version, a recursive fcopy is used for configuring the system. just put the files into the $CONFIG/files hierarchy, using class FAI-NFSROOT.
> Is there a new security Problem? I've written an (not very well tested) script to be used as COMMAND for the authorized logsave-key. this allows only hosts to write to their own directories on the server, and only to non-existent subdirs. besides no other requests but 'scp' are working... thus nobody, even if he possesses the key, can fake logs. the only possible attack scenery would be, if someone is first takes over a host during installation, but before install is saving the logs. then he could save his own 'faked' logs, probably hiding his intrusion... this special wrapper is for now not even in PFAI, but after a bit of testing it will get there. if anyone wants this wrapper i could post it either to the list or private. -- c u henning
