[nycbug-talk] openssh in clustered environment

pete wright nomadlogic
Mon Dec 12 16:21:02 EST 2005

On 12/12/05, Marc Spitzer <mspitzer at gmail.com> wrote:
> On 12/12/05, pete wright <nomadlogic at gmail.com> wrote:
> > Hey All,
> > any links/hacks and tricks for distributing openssh key's in a large
> > desktop and cluster unix environment.  ideally i'd like to have key's
> > distributed to servers at buildtime.  catch is that most builds are
> > automated so being prompted for passwords during the initial setup can
> > not happen.  I've started kicking around using hostbased auth, but
> > this is less secure and does not save any work when I can just script
> > creating passwordless key's.  Still, the issue I forsee is having to
> > manually distribute the key's for the first time (having to type a
> > password atleast once to get a hsots public key into a servers auth.
> > hosts file).
> >
> > what are you all doing to manage hosts in large mostly automated
> > environments (more than 1000 hosts)?
> it depends how you build them.  you could do any of the following:
> 1: scripted cvs/http/ftp download of the needed files
> 2: cfengine script
> 3: something else mentioned on this list, I think it started with hf,
> and got good reviews
> 4: other stuff in ports
> and others, what would work for you given your existing/planed infrastructure
> marc

funny you mention cfengine, as this is partly due to cfengine ;) 
trying to figure out a way to get the client ppkey's over to the
master via an install script.  hmm...i guess I can kick around the
idea of doing some sort of HTTP/perl/python thingy...


> --
> "We trained very hard, but it seemed that every time we were beginning to
> form into teams we would be reorganized. I was to learn later in life that
> we tend to meet any new situation by reorganizing, and a wonderful method it
> can be for creating the illusion of progress, while producing confusion,
> inefficiency and demoralization."
> -Gaius Petronius, 1st Century AD

Pete Wright
NYC's *BSD User Group

More information about the talk mailing list