So, since about january 2015 I’m renting a dedicated root server over at OVH - but as their customer interface still is on leap 42 I performed the last few installs remotely. In the past I used sshpassword to set a rather complex password - but as I plan to do a live-stream this time I looked for a way to use a ssh key. At least for the install system the ssh.key option can be used (according to the linuxrc page) - but for the first time login I still have to use the password set durin install.
Is there any way to have the ssh key loaded during the setup system (or another different one) be copied into the installed system at the end of install so I don’T have to use password based login?
Bonus question: As I plan to clean the hdd before setup it will not be able to copy over the ssh id from the current running 15.1 - but it’ll have to generate a new one on first time start up. As this will change the fingerprint and I don’t have a console I can’t verify the fingerprint. Is there a way to either have the setup install a specific ssh id - or to have it auto-publish its new generated fingerprint to some remote endpoint over a secured channel?
Don’t get me wrong - I’m not one of those “I fear Snowden” - but during live stream there can (and maybe will) some shady people try to do nasty things - I would like to secure against.
Hi
Just copy your public key eg ~/.ssh/id_rsa.pub to the remote host ~/.ssh/authorized_keys create the file if it doesn’t exist and should be good to go…
Should be able to backup the old key and use it during install?
sorry - but you missed the point - as this still would require to log in at least once using a users password
the question is: how let the install perform copy a public key from a remote url so there’S no need for loggin in with a users password upfront to copy the key manually
I don’T want to - I want to get rid of the old key of the old install and let the system generate a new one when the new sshd starts up for the first time
and although I don’T see any point in me privately setting up a new os over a remote install - there has to be some business solution as most of them most likely use automated systems - which likely to fail when the new fingerprint isn’t known - also: not just re-install on an exisiting system but also introduce new systems to the eco system
no one has the time to have manually enter the new fingerprint into some database - there just has to be some automated way
currently it comes down to: without manually crafting some package - make it available in some repo - and have it install along the initial setup - and somehow to have it start up during boot which just contains some simple script to perform the tasks - there doesn’t seem to be a way to pass some parameters to the setup to perform post-install scripts to have it install some auto scripts into the installed system
main issue: I don’t know any way to stop that 10 second counter at the end of install to perform the tasks myself - is there one?
well - don’T have rights to edit my post - hence the additional reply:
in fact - as the setup environment is a “live” system in terms of it loads its ramdisk over the net and then starts it - it also generates a temporary ssh fingerprint for it - without a way to have it publish that one - or somehow load some secured prepared id with a known fingerprint
I guess I just drop the idea to stream the install as there too many points either not automatable or not secureable to do such a stream …
it really let’s me ask: am I the first one having that idea for the past 30 years? the fact linuxrc does have an option to install remotely via ssh points out that at least someone somewhen had this idea and implemented the idea to have a remote install - but it still misses many features - at least in my opinion - or they’Re not documented
You need to explain your idea so that others can also understand it. You use some terms you coined like “ssh id” which makes no sense - there are “user id” and “ssh identity file”. Nor do we know what you call “stream install”. Nor do we know whether you are talking about host keys or user keys (normally you check fingerprint of host key but “replacing password login with public key login” suggests you mean user key).
In general, if you use automatic installation with autoyast it allows you to define users, set authorized_keys for these users (which covers your original question about passwordless login), run commands/scripts at several points during installation where you can do whatever you like including publishing generated host key fingerprint to whatever location you deem “secure”. Otherwise it is really up to you to implement as part of your custom “stream install” solution.