Deploying Red Hat Workstations
Rodolfo J. Paiz
rpaiz at simpaticus.com
Wed Mar 17 17:38:38 UTC 2004
At 11:22 3/17/2004, you wrote:
>>Use the IP information to write a simple shell script that will `scp`
>>the file to the boxes (yes this means setting up a system account [don't
>>use root!] and keeping logins the same on all the boxes. GUARD THIS
>>PASSWORD WITH YOUR LIFE). Be sure to change the system box passwords
>>regularly and use a STRONG PASSWORD. There may be a better way, but
>>this is all I can come up with right now.
Do not use passwords. As a matter of fact, disable logins for this account
entirely. "passwd -l username" will lock the account, or you can use "*" as
a password which effectively disables the password as well.
Instead, use private/public keys to scp. This is not interactive and there
is no prompting required, which is quicker and cleaner. It is also more
secure, in that keys are nearly impossible to guess. Then you can keep the
private key on the central box (and guard *that* with your life!) and put
the public keys on all the other boxes in the
~username/.ssh/authorized_keys file with no risk whatsoever.
Note that I think you need to do this without assigning a passphrase to the
private key, which in theory reduces the security provided *IF* you lose
the private key. Of couse, that's the same as losing the password so you're
no worse off... and you can quickly and easily change the public key on all
the other boxes if you feel the private one is compromised. Or you could
quickly and easily change the public/private key once a month if desired...
lots of things you can do.
--
Rodolfo J. Paiz
rpaiz at simpaticus.com
http://www.simpaticus.com
More information about the fedora-list
mailing list