The only remaining complication, and it is a minor one, is that since the remote system has a new set of keys each time it boots, on the client one must delete the previous key or it won't connect because it thinks it sees a man in the middle attack.
-ostricthostkeychecking=no or simply use ssh-keygen -R
Depending on your circustances, instead of regenerating the system keys, you could put the system keys into the boel load so they never change.
definitely. I've never heard of any scenario where using the same hostkey for multiple hosts was a serious risk. obviously it matters more if you use shosts.equiv, and possibly if the network is spoofable.
You could also put your public key into boel and change the config to: PermitEmptyPasswords no PasswordAuthentication no to ensure you and only you get to log in...
well, having staff pubkeys in the rescue net-boot image seems like a bit of a headache. I suppose the build-net-boot-image script could
fetch them from ~root/.ssh/authorized_keys. I feel a lot safer when I very rarely need to type a password. (it does mean being mindful of which hosts are doing agent-forwarding.) _______________________________________________ Beowulf mailing list, Beowulf@beowulf.org To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
