Redhat – When are root’s SSH keys generated

anacondakickstartredhatssh-keygenssh-keys

I have hosts with and without keys in /root/.ssh. I've noticed before some on screen feedback for SSH key generation on start up (first time.) But I am not sure what the catalyst is. I have looked in /root/anaconda-ks.cfg and don't see anything different that could lead to this.

What was chosen/enabled for the servers that do versus the ones that do not?

Note: I know I can do it manually — I am just looking to understand when / how it is inconsistently generated.

Best Answer

I think you are confusing it with host keys.

Host keys are generated on first boot. (Well, or when the ssh server starts the first time).

The directory /root/.ssh is created when you first use ssh (the client). It stores the known_hosts file here (containing the public keys of hosts your have been connected before).

One can use ssh-keygen to create public/private keypair (it is name /root/.ssh/id_rsa and /root/.ssh/id_rsa.pub per default).

Related Solutions

How Exactly Are SSH Keys Generated

SSH uses pre-generated public and private keys. Once generated these keys are stored for future use. The content of the keys should not be related to the hardware or O/S, but do depend on the random numbers they provide.

There are various formats used to transport the keys. If you move from one platform to another you may need to change the key format. Putty uses a different format than OpenSSH, but there are tools for both to convert the format.

The private key should rarely need to be transported. If they are they must be kept secure. Public keys and are freely distributable, and are automatically exchanged during the connection. Usually known keys are stored so that the verification dialog is not required on subsequent connections.

I generally generate new keys for new devices as this is more secure. It does require re-establishing trust relationships. Copying the old keys may allow the transfer of trust. Sometimes the trust includes other information such as hostname and/or IP address preventing the transfer of trust.

An existing known host list can be transferred. This allows you to transfer the list of devices you trust. This does not guarantee they will trust you.

Linux – Upgrade the Ubuntu puppet package within kickstart process

I've never kickstarted ubuntu but I use it for centos/rhel. Why are you installing the base puppet package at all? I add my local yum repo for puppet (and epel) to the install process as part of the main kickstart script. Eg.

repo --name=local --baseurl=http://...

I then have the %post section launch puppet, which handles configuring all the yum repos I'd like to use by installing the proper rpms for them (eg., epel-release).

I have also had kickstart just install the old epel version (0.25.x) and then have puppet-client module manage upgrading the client to 2.6.x.

Best Answer

Related Solutions

How Exactly Are SSH Keys Generated

Linux – Upgrade the Ubuntu puppet package within kickstart process

Related Topic