Bug 144001

Summary: iSpec ssh key distribution
Product: [Retired] Red Hat Ready Certification Tests Reporter: Will Woods <wwoods>
Component: ispecAssignee: Will Woods <wwoods>
Status: CLOSED WORKSFORME QA Contact: Richard Li <richardl>
Severity: medium Docs Contact:
Priority: medium    
Version: beta   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-29 18:34:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 143442    

Description Will Woods 2005-01-03 16:26:26 UTC 
During iSpec testing, the rhr NETWORK test requires the ability to ssh login to
the iSpec server. This can be done automatically (that is, without needing user
input) by using ssh key authentication. This would make other parts of our
testing (e.g. copying test results back to the iSpec server) much easier as well.

Currently, varitek.cgi creates an ssh keypair (with no passphrase) for each
machine model defined. This keypair is used to allow the test machine(s) to log
into the iSpec server as root, without a password. Obviously this poses a
serious security risk if the private key is made publicly available, so we can't
just put it in the models/ dir and fetch it by http. Instead, we put the private
key in a directory that is only readable by root. After (or possibly during) the
RHEL installation, the private key should be fetched by the test machine and
installed in the appropriate place.

Currently iSpec tries to set up the key(s) during the test machine's first boot
after installation, but this has two problems:

1) Requires the user to wait around through the RHEL installation to type the
iSpec server root password after the test machine reboots
2) since ssh/scp won't ask for a password unless they're run in a terminal,
iSpec has to open up a new virtual terminal to do this. This approach fails on
headless machines or other places where the virtual terminals aren't available.
Comment 1 Richard Li 2005-01-03 18:57:11 UTC 
we documented how to add the keys for the 1.0 version. moving to 1.1
Comment 2 Richard Li 2005-01-03 20:39:38 UTC 
-> wwoods needs to verify documentation
Comment 3 Will Woods 2005-01-06 15:30:08 UTC 
The documentation looks correct for 1.0. Moving this bug to 1.1.
Comment 5 Will Woods 2005-04-29 18:34:20 UTC 
Current method is good enough for now - test machines are normally on isolated
networks, so security risks are minimal. Plan to remove ssh altogether in the
next major release.