Bug 144001 - iSpec ssh key distribution
iSpec ssh key distribution
Product: Red Hat Ready Certification Tests
Classification: Retired
Component: ispec (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Will Woods
Richard Li
Depends On:
Blocks: 143442
  Show dependency treegraph
Reported: 2005-01-03 11:26 EST by Will Woods
Modified: 2007-04-18 13:17 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-04-29 14:34:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Will Woods 2005-01-03 11:26:26 EST
During iSpec testing, the rhr NETWORK test requires the ability to ssh login to
the iSpec server. This can be done automatically (that is, without needing user
input) by using ssh key authentication. This would make other parts of our
testing (e.g. copying test results back to the iSpec server) much easier as well.

Currently, varitek.cgi creates an ssh keypair (with no passphrase) for each
machine model defined. This keypair is used to allow the test machine(s) to log
into the iSpec server as root, without a password. Obviously this poses a
serious security risk if the private key is made publicly available, so we can't
just put it in the models/ dir and fetch it by http. Instead, we put the private
key in a directory that is only readable by root. After (or possibly during) the
RHEL installation, the private key should be fetched by the test machine and
installed in the appropriate place.

Currently iSpec tries to set up the key(s) during the test machine's first boot
after installation, but this has two problems:

1) Requires the user to wait around through the RHEL installation to type the
iSpec server root password after the test machine reboots
2) since ssh/scp won't ask for a password unless they're run in a terminal,
iSpec has to open up a new virtual terminal to do this. This approach fails on
headless machines or other places where the virtual terminals aren't available.
Comment 1 Richard Li 2005-01-03 13:57:11 EST
we documented how to add the keys for the 1.0 version. moving to 1.1
Comment 2 Richard Li 2005-01-03 15:39:38 EST
-> wwoods needs to verify documentation
Comment 3 Will Woods 2005-01-06 10:30:08 EST
The documentation looks correct for 1.0. Moving this bug to 1.1.
Comment 5 Will Woods 2005-04-29 14:34:20 EDT
Current method is good enough for now - test machines are normally on isolated
networks, so security risks are minimal. Plan to remove ssh altogether in the
next major release.

Note You need to log in before you can comment on or make changes to this bug.