Here is a version we run for each of our VM/zlinux servers to a allow access to run scripts on a inside web server in VMware. We do each and ecvery time a zLinux Informix set up is (and there will be about 120 instances)
MAYBE it will helps someone here: ------------------------------------------------------------------------------------------------ #!/bin/sh ## ## generate KEYS for Power User .. ## NOTE: INSIDESERVER variable is set prior ## To the script being run if [ "$USER" != "root" ] then echo "YOu must be ROOT user to excute this ..." exit 1 fi cd /home/poweruser rm -rf .ssh/ mkdir .ssh chown poweruser:users .ssh/ su - poweruser -c 'ssh-keygen -b 2048 -t rsa -N "" -f /home/poweruser/.ssh/id_rsa' su - poweruser -c 'ssh-keygen -b 1024 -t dsa -N "" -f /home/poweruser/.ssh/id_dsa' echo "Now copying over the key pairs .." cat /home/poweruser/.ssh/id_rsa.pub | ssh root@${INSIDESERVER} "cat >> /root/.ssh/authorized_keys" echo "Key gen now complete ..." exit 0 ----------------------------------------------------------------------------------------------------------- Ben Duncan - Business Network Solutions, Inc. 336 Elton Road Jackson MS, 39212 "Never attribute to malice, that which can be adequately explained by stupidity" - Hanlon's Razor > -------- Original Message -------- > Subject: Re: Cloning & SSH keys > From: "r.stricklin" <b...@typewritten.org> > Date: Mon, July 16, 2012 9:24 pm > To: LINUX-390@VM.MARIST.EDU > > > On Jul 16, 2012, at 8:03 AM, Lee Stewart wrote: > > > I'd never thought about it before, but a customer pointed out that when > > you clone a system, each Linux clone has the same Host RSA key > > fingerprint as it's master. I can't think of anything that would cause > > a problem with. On the other hand, if they wanted to regenerate the > > keys, does it take more than erasing the current keys and restarting sshd? > > That's all it takes. > > Some of the security features of ssh break down in subtle ways if you have > multiple hosts with the same host key. I personally would advise creating new > keys for each clone. It was part of the clone automation I implemented in a > prior life. > > Since I think none of this is left in production and somebody should get use > from it... > > If you have a DHCP server on your VSWITCH, with entries in it like this: > > host lnx80151 { # ascii --> \0 L N X 8 0 1 5 1 <-- VM > username > option dhcp-client-identifier 00:4c:4e:58:38:30:31:35:31; > option host-name "linux-dhcp-demo"; > fixed-address 192.168.13.151; > } > > And change dhcpcd on your linux systems so that the client sends the VM > username as its client ID. On SLES this is the DHCLIENT_CLIENT_ID line in > /etc/sysconfig/dhcp: > > DHCLIENT_CLIENT_ID=`/usr/bin/awk '/VM00 Name:/ { print $NF }' > /proc/sysinfo` > > Then you'll get the ability for a clone to detect that it's been cloned, > using information provided by the DHCP client. From there, you can automate > all kinds of post-clone configuration (which is also useful for reconfiguring > guest network settings in in a DR test scenario), with dhcp-config-hook type > scripts (SuSE provides an example for changing smb.conf when the DHCP lease > changes). > > My dhcp-config-hook script was ugly but effective. I'll share it; check the > end of the message. I also had to write an early-stage init script to > regenerate UUIDs for LVM and XFS, that also worked off detecting that the VM > user name had changed. I'll share that too, since I'm sharing. You guys are > welcome to take from them what you need. > > > ok > bear. > > ---[BEGIN /etc/sysconfig/network/if-up.d/dhcpcd-config-hook]--- > > #! /bin/bash > # > # Update system config files after DHCP changes > # Inspired by SuSE 'dhcpcd-hook-samba' > # > # 20070426 rjs > # > # Apparently we receive these as arguments: > # $1 - configuration name, e.g. ifcfg-qeth-bus-ccw-0.0.a001 > # $2 - interface name, e.g. eth0 > # $3-$n - additional options. Unknown whether this is anything useful or > # important. > # > > # The important bits: > # 1. This script is called for every ifup, whether dhcp is used, or not. > # Therefore, it is up to us to read a bunch of junk to determine whether > # it's even appropriate to run. > # > # 2. I was cranky about the way the SuSE script relies on dhcpcd providing > # old lease information, but then realized that it was a handy interface > # for consolidating a few system maintenance processes that used to be > # separate, into one. If the SuSE DHCP client ever changes so that the > # old lease information is not available, things will become complicated > # again. > # > # 3. There is no number 3. > # > # 4. If we ever decide to use dhclient instead of dhcpcd, some of this will > # have to be rewritten. > # > # 5. The "new" version of dhcpcd is completely rewritten since SLES10 and no > # longer provides old lease information. This script has been updated to > # simulate this behavior. It creates an edge condition for the first run > # but as long as the extra step to create the initial old lease file > # stays in the process we should never encounter it (the edge condition) > # in normal operation. > # > > PATH=/bin:/sbin:/usr/bin:/usr/sbin ; export PATH > > # config file locations > > IF_CONFIG_FILE="/etc/sysconfig/network/ifcfg-${cfg}" > DHCP_CONFIG_FILE="/etc/sysconfig/network/dhcp" > > # files we may change > > SSH_HOST_KEYS='/etc/ssh/ssh_host*key*' > > FILES="HOSTN HOSTS DSM VSFTPD POSTFIX_MAIN ANALOG APACHE2" > > # don't let any of these variable names be the same as records in > # /var/lib/dhcpcd*info ! > > HOSTN="/etc/HOSTNAME" > HOSTS="/etc/hosts" > DSM="/etc/dsm.sys" > VSFTPD="/etc/vsftpd.conf" > POSTFIX_MAIN="/etc/postfix/main.cf" > ANALOG="/etc/analog.cfg" > APACHE2="/etc/apache2/default-server.conf" > > # > # Function declarations > # > > function log_debug() { > case "${options}" in > *debug*) > logger -t $0 -p daemon.debug "$1" > ;; > esac > } > > function log_error() { > logger -t $0 -p daemon.err "$1" > exit 1 > } > > function getLeaseInfo() { > DHCP_LEASE="/var/lib/dhcpcd/dhcpcd-${if}.info" > DHCP_OLD="/var/lib/dhcpcd/dhcpcd-${if}.info.old" > > # this will break on the first call after making the system > # a dhcp client... i.e. new install. I think in practice > # we should never see this happen. > > if [ -r ${DHCP_LEASE} -a -r ${DHCP_OLD} ] ; then > . $DHCP_LEASE > > new_CLIENTID=$CLIENTID > new_HOSTNAME=$HOSTNAME > new_DOMAIN=$DOMAIN > new_IPADDR=$IPADDR > > . $DHCP_OLD > > old_CLIENTID=$CLIENTID > old_HOSTNAME=$HOSTNAME > old_DOMAIN=$DOMAIN > old_IPADDR=$IPADDR > else > log_error "$0 can't read DHCP lease info. Aborting." > exit 1 > fi > } > > # > # end function decl. > # > > > if [ $# -lt 2 ] ; then > log_error "$0 did not receive the right number of arguments." > exit 1 > fi > > cfg="$1" ; shift > if="$1" ; shift > options="$@" # apparently this may begin with "-o" ... ? > > # > # Figure out whether we even ought to be running. > # > # 1. Check /etc/sysconfig/network/dhcp > # relies on extra variable not part of normal SuSE installation > # DHCLIENT_MODIFY_SYS_FILES (must be added for this to work) > # > # 2. Check /etc/sysconfig/network/ifcfg-(ifname) > # if we're not setup for dhcp on this interface, exit quietly > # > > if [ -r "$DHCP_CONFIG_FILE" ] ; then > . $DHCP_CONFIG_FILE > > case "${DHCLIENT_MODIFY_SYS_FILES}" in > yes|YES|Yes) : ;; > *) exit 0 ;; > esac > fi > > if [ -r "$IF_CONFIG_FILE" ] ; then > . $IF_CONFIG_FILE > > case "${BOOTPROTO}" in > dhcp|dhcp+autoip) : ;; > *) exit 0 ;; > esac > fi > > getLeaseInfo > > # > # did anything important change? > # > > predicate=0 > for info in CLIENTID HOSTNAME DOMAIN IPADDR ; do > new="new_$info" > old="old_$info" > log_debug "${info}: NEW \(${!new}\) OLD \(${!old}\)" > [ "${!new}" != "${!old}" ] && $((predicate++)) > done > > # > # if nothing important changed, end quietly, now. > # > > log_debug "PREDICATE $predicate" > [ $predicate -eq 0 ] && exit 0 > > > # > # something important changed, so fix files > # > > # first, clean up some cruft > > if [ "$old_CLIENTID" != "$new_CLIENTID" ] ; then > rm ${SSH_HOST_KEYS} > rm /root/.*history > fi > > new_LONGNAME=${new_HOSTNAME}.${new_DOMAIN} > old_LONGNAME=${old_HOSTNAME}.${old_DOMAIN} > log_debug "LONGNAME: NEW \($new_LONGNAME\) OLD \($old_LONGNAME\)" > > > echo "DHCP client configuration changed." > > for file in $FILES ; do > > if [ -r "${!file}" ] ; then > > echo " updating ${!file}." > cp ${!file} ${!file}.dhcpold > # this is ugly. > # change the old info to the new info > # but an old_IPADDR of 192.168.13.12 will also match 192.168.13.120, etc. > # so to make sure we get only the address (shortname, etc.) we care about > # (barring shortnames like "the" or "web" (eek!)) make sure the patterns > # are preceeded and followed only by whitespace, quotation marks, equal > # signs, open or close parentheses, BOL (^) or EOL ($), and that the > # replacements are preceeded and followed by the same. > > sed -e "s/\(^\|[(\"\' \t=]\)${old_LONGNAME}\([)\"\' > \t=]\|$\)/\1${new_LONGNAME}\2/ > s/\(^\|[(\"\' \t=]\)${old_HOSTNAME}\([)\"\' > \t=]\|$\)/\1${new_HOSTNAME}\2/ > s/\(^\|[(\"\' \t=]\)${old_IPADDR}\([)\"\' > \t=]\|$\)/\1${new_IPADDR}\2/ > s/\(^\|[(\"\' \t=]\)${old_CLIENTID}\([)\"\' > \t=]\|$\)/\1${new_CLIENTID}\2/" \ > ${!file}.dhcpold > ${!file} > > fi > done > > # keep it going since dhcpcd no longer does this for us, as of SLES 11. > # not needed (and undesireable) for SLES10 or earlier. > > cp $DHCP_LEASE $DHCP_OLD > > ---[END /etc/sysconfig/network/if-up.d/dhcpcd-config-hook]--- > > > ---[BEGIN /etc/init.d/boot.lvmunclone]--- > > #! /bin/bash > # > # - ;rjs > # - post cloning housework > # - 20090120 updated to gen new XFS UUIDs, in addition to LVM UUIDs > # > ### BEGIN INIT INFO > # Provides: boot.lvmunclone > # Required-Start: boot.udev boot.device-mapper > # Required-Stop: > # Should-Start: > # Should-Stop: > # Default-Start: B > # Default-Stop: > # Description: Guarantee unique LVM UUIDs on vgroot after cloning > ### END INIT INFO > > [ "$1" != "start" ] && exit 0 > > VG=vgroot > > # sed, awk, and grep are all in bin, dynamically linked with libc in /lib64 > # no need for /usr to be mounted, just for the dynamic loader to work > # > # xfs_admin is in /usr/sbin though. > # > > VM00=`awk '/VM00 Name/ { print $NF }' /proc/sysinfo` > TAGS=`vgs --noheadings -o vg_tags ${VG} | sed -e 's/,/ /g'` > > case ${TAGS} in > *${VM00}*) > # VG tagged with VM00 Name, no work needed > exit 0 > ;; > *) > # VG tagged with some other VM00 Name, we were cloned > echo "Regenerating LVM UUIDs (${VG})." > > for dev in `pvdisplay -c | awk -F':' "/:${VG}:/ { print \\$1 }"` ; do > pvchange -u ${dev} > done > > vgchange -u ${VG} > > for dev in `lvdisplay -c | awk -F':' "/:${VG}:/ { print \\$1 }"` ; do > xfs_admin -U generate ${dev} > done > > # update vg tags for next run. > for tag in ${TAGS} ; do > vgchange --deltag ${tag} ${VG} > done > > vgchange --addtag ${VM00} ${VG} > > ;; > esac > > ---[END /etc/init.d/boot.lvmunclone]--- > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > ---------------------------------------------------------------------- > For more information on Linux on System z, visit > http://wiki.linuxvm.org/ ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For more information on Linux on System z, visit http://wiki.linuxvm.org/