Cobbler and SSH Keys

Posted by Joe Topjian on August 10, 2010 under Administration | Be the First to Comment

Introduction

Utilizing SSH keys for server access, whether password-less or with a passphrase, is a staple of system administration and automation. However, configuring this type of access is usually done manually: an admin will manually log in to the server, manually create the /root/.ssh directory, and then manually paste the source server’s public SSH key into the authorized_keys file.

It would be beneficial to the admin if this process could be automated during the installation procedure. For one reason, it ensures there are no errors or typos happen from the process. For another reason, when the server has first booted, access is now already configured and the admin has one less step to worry about.

This article describes automating this procedure with Cobbler and Kickstart.

A Simple Snippet
Expanding and Abstracting
- wget Installation
Conclusion

A Simple Snippet

The Kickstart Snippet Cookbook has a section that describes how to easily add an SSH public key to authorized_hosts via a post-install snippet:

cd /root
mkdir --mode=700 .ssh
cat >> .ssh/authorized_keys << PUBLIC_KEY
ssh-rsa keykeykey admin@example.com
PUBLIC_KEY
chmod 600 .ssh/authorized_keys

This method is extremely easy to configure and works very well.

Expanding and Abstracting

The only part of this method that I'm not satisfied with is how the public key is hard-coded into the snippet. If the public key were to ever change, the snippet would have to be updated.

Instead, I would prefer to have the public key available available on the network -- on a web server, for example. When the snippet runs, it could retrieve the public key from the web server and access would still be configured correctly.

The new snippet could look like this:

cd /root
mkdir --mode=700 .ssh
wget http://192.168.255.1/id_rsa.pub -O .ssh/authorized_keys
chmod 600 .ssh/authorized_keys

The wget command will retrieve the public key and save it as .ssh/authorized_keys. If you anticipate .ssh/authorized_keys to already exist and do not want it over-written, you can instead do:

wget http://192.168.255.1/id_rsa.pub -O - >> .ssh/authorized_keys

wget Installation

Please note that to use this method, you have to make sure that wget will be installed on the target system. Even though most busybox install environments include wget, since this script runs as a post-install script, it uses the target system's available packages.

To ensure wget is installed on RedHat-based distributions, simply add wget to the %packages section of your Kickstart file:

%packages
wget

Conclusion

This quick article described how to use Cobbler and Kickstart to automatically configure a newly installed server for SSH key-based access. It provided two solutions: a standard post-install script with the key hard-coded into the kickstart file and a more abstracted solution with the public-key stored in a centralized area.

Tags: automation, cobbler, deployment, ssh

Add A Comment

home top

Categories

Popular Topics

Projects