RE: [Sisuite-docs] Re: [Sisuite-users] Re: getting an image throu gh SSH

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Brian and Dann,

	What timeframe are you looking at for incorporating
the info in the manual so I can plan for time?

Thanks,

Denise

> -----Original Message-----
> From: Brian Elliott Finley [mailto:br...@bg...]
> Sent: Friday, July 25, 2003 9:11 AM
> To: dann frazier
> Cc: sis...@li...; br...@bg...; Anton Smith;
> SISuite Users
> Subject: [Sisuite-docs] Re: [Sisuite-users] Re: getting an 
> image through
> SSH
> 
> 
> Thus spake dann frazier (da...@de...):
> > There is definitely a lacking of ssh information in the manual, so
> > how about I add this in the Usage chapter, in its own section?
> 
> Yes, yes, yes!
> 
> I really like going in the direction similar to the Flamethrower
> chapter.  Something like "HOWTO Use SSH for Secure Installs".
> 
> > Brian: is what Anton describes currently the recommended procedure?
> > 
> > On Thu, Jul 17, 2003 at 11:22:41PM +1200, Anton Smith wrote:
> > > Solved this for myself, and thought I'd post it here for 
> everyone else.
> > > 
> > > (just a reminder, this is for pulling images across to 
> your server via ssh).
> > > 
> > > 1) run prepareclient  on your goldenclient as you usually do. 
> 
> Yes.
> 
> 
> > Immediately after it starts, ps -ef | grep for rsync and 
> kill the daemon it started. Take note of the config file it 
> used, most likely it will be in /tmp.
> > > 2) edit the rsync config file from above, and under 
> [root], change it so it looks like this:
> > > 
> > > auth users root
> > > path = /
> > > hosts allow = clientsiphere
> > > hosts deny = *
> > > 
> > > This locks it down so that only root can log in and so 
> that the only host that can connect is the client itself (we 
> will be ssh tunneling so the packets will appear to come from 
> the client itself, which is why this works).
> > > 
> > > 3) run "rsync --daemon --config-file 
> /tmp/rsyncd.conf.xxxxx". Tail /var/log/syslog to make sure 
> the daemon came up okay and didn't complain about any of your 
> new config changes (if it ignores any of your security lines 
> then it will be listening for any host, which is a bad [tm] thing).
> 
> This is not the intended use, but certainly you could do it this way.
> It is assumed that the client is firewalling everything but ssh to
> itself.  Running the rsync daemon wide open is ok in this 
> case, assuming
> that there are no malicious local users on the golden client.
> 
> When you rung getimage, use the --ssh-user option, and the 
> image will be
> retrieved using rsync over ssh.
> 
> > > All of the following is on your image server:
> > > 
> > > 4) Bring up the ssh tunnel: ssh -C -L 
> localport:goldenclients_ip:873 root@goldenclients_ip  and 
> enter the root password.
> > > 5) Switch to another terminal on your imageserver (make 
> sure you leave the ssh session you opened in step 4 open), 
> and run getimage -golden-client localhost:localport -image 
> imagename (make sure you use the same value for localport 
> here as you did in step 4. It can be any port but ideally 
> should be an ephemereal and not already in use. As an example 
> I use 15000 but you could use whatever you like).
> > > 6) From here, it should be just like a normal getimage. 
> When its all finished you can log out of your ssh 
> session/tunnel, and you can also kill the rsync daemon on 
> your golden client.
> 
> All of the above is handled for you by getimage if you use the 
> --ssh-user option.   Also look at the details at the bottom of the
> local.cfg file for autoinstall related details.
> 
> Anton,
> 
> This was a clever way to figure out how to do this, and I 
> wonder if the
> hosts allow and hosts deny options are something we should consider
> adding to prepareclient.  
> 
> Dann, what do you think?  prepareclient --server HOSTNAME (option to
> add the host allow/deny params)?
> 
> Also, Anton, can we put you down as an OFFICIAL_TESTER?  And 
> have you do
> the ssh testing when we do new releases?
> 
> Cheers, -Brian
> 
> 
> > > 
> > > Voila :)
> > > 
> > > Regards,
> > > Anton
> > > 
> > > 
> 
> -- 
> ---------------------------------------------------------
>  Brian Elliott Finley                Phone: 630.803.8183
>  GPG: 3FF8 D096 0E0C D3F3 29B7  6518 D20B 1931 10F8 EE52
> ---------------------------------------------------------
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet
_072303_01/01
_______________________________________________
Sisuite-docs mailing list
Sis...@li...
https://lists.sourceforge.net/lists/listinfo/sisuite-docs