On Fri, 29 Oct 2004 19:03:02 +0200, Martin wrote in message <[EMAIL PROTECTED]>:
> Dear wizards, > > [I assume cluster stuff to be better here than -user. Please tell me > if you think otherwise] > > We have just converted our 40 node cluster to FAI and now it's > running shiny sarge at the press of the on button. Thanks to Thomas > Lange for a really incredible solution (FAI), and Mark Burgess for > cfengine2! > > As far as I can tell, there remains one problem: we use SSH > hostbased authentication between the nodes, and while I finally got > that to work, every machine gets a new host key on every > reinstallation, requiring the global database to be updated. Of > course, ssh-keyscan makes that easy, but people *will* forget to > call it, and I refuse to automate the process because there is > almost no intrusion detection going on, so that it would be trivial > to take a get access to the cluster with a laptop. As it stands, > I kept the attack vector small with respect to the data stored on > the cluster, physical security is good, and the whole thing is > behind a fascist firewall anyway. > > So what can I do about these SSH keys? ..have each node scp those keys and whatever else you want from the boot server, say from each node's /etc/rc.local. _Combine_ some node hardware based ID schemes, say nics mac addresses, cpuid, etc. -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]