Deploying Red Hat Workstations

Rodolfo J. Paiz rpaiz at simpaticus.com
Wed Mar 17 17:38:38 UTC 2004


At 11:22 3/17/2004, you wrote:
>>Use the IP information to write a simple shell script that will `scp`
>>the file to the boxes (yes this means setting up a system account [don't
>>use root!] and keeping logins the same on all the boxes.  GUARD THIS
>>PASSWORD WITH YOUR LIFE).   Be sure to change the system box passwords
>>regularly and use a STRONG PASSWORD.  There may be a better way, but
>>this is all I can come up with right now.

Do not use passwords. As a matter of fact, disable logins for this account 
entirely. "passwd -l username" will lock the account, or you can use "*" as 
a password which effectively disables the password as well.

Instead, use private/public keys to scp. This is not interactive and there 
is no prompting required, which is quicker and cleaner. It is also more 
secure, in that keys are nearly impossible to guess. Then you can keep the 
private key on the central box (and guard *that* with your life!) and put 
the public keys on all the other boxes in the 
~username/.ssh/authorized_keys file with no risk whatsoever.

Note that I think you need to do this without assigning a passphrase to the 
private key, which in theory reduces the security provided *IF* you lose 
the private key. Of couse, that's the same as losing the password so you're 
no worse off... and you can quickly and easily change the public key on all 
the other boxes if you feel the private one is compromised. Or you could 
quickly and easily change the public/private key once a month if desired... 
lots of things you can do.


-- 
Rodolfo J. Paiz
rpaiz at simpaticus.com
http://www.simpaticus.com





More information about the fedora-list mailing list