(if there is an obvious solution to this, then i'm just missing it.) i'm pondering how best to install a new linux distro on remote hosts, under the assumption that there will be someone *at* the remote site and able to invoke the program to kick the whole thing off -- that part is a given.
i've already written/stolen an installer which will download various binary images, and will (as root) partition the target disk, and create filesystems, and so on and so on ... again, that's not the issue. that the installer will have to run as root is kind of obvious, given its need to do low-level disk manipulation and so on, so no issue there. the issue is how to securely download the binary images (u-boot binary, root filesystem tarball, additional proprietary apps), etc, etc, where all those images are at a central and well-known IP address. so here's my thinking thus far. the consensus is that we should use "scp" to grab the images, which is fine with me, but how does one set this up to run "securely" in the first place. i can already see that the downloading does not require root privilege -- one can create a username like "installer", which has limited privileges and exists only for downloading. so do we use a password when invoking the remote account for "scp"? that would kind of defeat the purpose if passwords can be hacked (even if they're transmitted in ciphertext). each installer program could, upon being invoked at the remote site, create a private/public key pair for the "installer" account, but you can't use "ssh-copy-id" to add it to the central/server host without a password, so you're right back where you started. one idea i had is that downloading the base linux distro doesn't need to be that secure as it's just linux, but once that remote install comes up for the first time, it can (somehow securely) download the proprietary app. am i overthinking this? is there a simply solution i'm overlooking? rday -- ======================================================================== Robert P. J. Day Ottawa, Ontario, CANADA http://crashcourse.ca Twitter: http://twitter.com/rpjday LinkedIn: http://ca.linkedin.com/in/rpjday ======================================================================== _______________________________________________ Linux mailing list Linux@lists.oclug.on.ca http://oclug.on.ca/mailman/listinfo/linux