Red Hat Bugzilla – Bug 144001
iSpec ssh key distribution
Last modified: 2007-04-18 13:17:46 EDT
During iSpec testing, the rhr NETWORK test requires the ability to ssh login to
the iSpec server. This can be done automatically (that is, without needing user
input) by using ssh key authentication. This would make other parts of our
testing (e.g. copying test results back to the iSpec server) much easier as well.
Currently, varitek.cgi creates an ssh keypair (with no passphrase) for each
machine model defined. This keypair is used to allow the test machine(s) to log
into the iSpec server as root, without a password. Obviously this poses a
serious security risk if the private key is made publicly available, so we can't
just put it in the models/ dir and fetch it by http. Instead, we put the private
key in a directory that is only readable by root. After (or possibly during) the
RHEL installation, the private key should be fetched by the test machine and
installed in the appropriate place.
Currently iSpec tries to set up the key(s) during the test machine's first boot
after installation, but this has two problems:
1) Requires the user to wait around through the RHEL installation to type the
iSpec server root password after the test machine reboots
2) since ssh/scp won't ask for a password unless they're run in a terminal,
iSpec has to open up a new virtual terminal to do this. This approach fails on
headless machines or other places where the virtual terminals aren't available.
we documented how to add the keys for the 1.0 version. moving to 1.1
-> wwoods needs to verify documentation
The documentation looks correct for 1.0. Moving this bug to 1.1.
Current method is good enough for now - test machines are normally on isolated
networks, so security risks are minimal. Plan to remove ssh altogether in the
next major release.