Re: ssh with diskless machines
From: Peter (firstname.lastname@example.org)
From: Peter <email@example.com> Date: Tue, 18 Mar 2003 09:48:52 +0100 To: firstname.lastname@example.org
thanks for your replies.
Crist J. Clark writes:
> If you cannot store a secret on the individual workstations, you are
> hosed. There just isn't a way to authenticate in this kind of
> environment without a secret. Giving the workstations host keys via
but if we do not use hostkey authentication? I mean the hostkey is
only used if I ssh to that machine, and then it is only checked
against the key stored in my known_hosts file. As far as I understand
the problem, if someone wearing a black hat grabs the key
because it is sent over the network unencrypted (via NFS, DHCP, tftp,
...), turns off one of the workstations, uses its ip-address for his
laptop, plugs his laptop/PDA/.. in our network starts sshd with this
key, and waits until someone ssh's there, bingo, whoever has logged in
is caught. Is that the scenario we are talking about?
> NFS (heck, might as well give them all the same set of keys) just to
that would be even worse, or does it really not matter?
> make SSH happy seems like your only option. This is OK as long as you
> understand what it means, and you can live with that.
> The good news is that your authentication is no worse than it was
> under the r-commands. The bad news is that it is no better
> either. You're still vulnerable to man-in-the-middle attacks, but
> sniffing and injection attacks are cut out.
> > The other idea is of course to generate the keys each time a
> > workstation boots, but that would mean to often edit the known_hosts
> > file and perhaps use the "StrictHostKeyChecking no" option.
> And changing the known_hosts file without manually checking that the
> key is correct is pointless anyway.
> > Using DHCP does not look like a better idea than NFS, or does it?
> Huh? You mean passing the keys as a DHCP option? Never thought of
> that. But no, it's not a better idea. You wouldn't gain anything.
yes, that's what I ment, sorry for being so unprecise. We even
thought of using sftp to get the keys, or how about LDAP.
-- Peter Kruse <email@example.com> Q-Leap Networks GmbH +497071-703171