Menu
▾
▴
sisuite-docs
|
From: dann f. <da...@de...> - 2003-07-20 22:10:50
|
There is definitely a lacking of ssh information in the manual, so how about I add this in the Usage chapter, in its own section? Brian: is what Anton describes currently the recommended procedure? On Thu, Jul 17, 2003 at 11:22:41PM +1200, Anton Smith wrote: > Solved this for myself, and thought I'd post it here for everyone else. > > (just a reminder, this is for pulling images across to your server via ssh). > > 1) run prepareclient on your goldenclient as you usually do. Immediately after it starts, ps -ef | grep for rsync and kill the daemon it started. Take note of the config file it used, most likely it will be in /tmp. > 2) edit the rsync config file from above, and under [root], change it so it looks like this: > > auth users root > path = / > hosts allow = clientsiphere > hosts deny = * > > This locks it down so that only root can log in and so that the only host that can connect is the client itself (we will be ssh tunneling so the packets will appear to come from the client itself, which is why this works). > > 3) run "rsync --daemon --config-file /tmp/rsyncd.conf.xxxxx". Tail /var/log/syslog to make sure the daemon came up okay and didn't complain about any of your new config changes (if it ignores any of your security lines then it will be listening for any host, which is a bad [tm] thing). > > All of the following is on your image server: > > 4) Bring up the ssh tunnel: ssh -C -L localport:goldenclients_ip:873 root@goldenclients_ip and enter the root password. > 5) Switch to another terminal on your imageserver (make sure you leave the ssh session you opened in step 4 open), and run getimage -golden-client localhost:localport -image imagename (make sure you use the same value for localport here as you did in step 4. It can be any port but ideally should be an ephemereal and not already in use. As an example I use 15000 but you could use whatever you like). > 6) From here, it should be just like a normal getimage. When its all finished you can log out of your ssh session/tunnel, and you can also kill the rsync daemon on your golden client. > > Voila :) > > Regards, > Anton > > |
|
From: Brian E. F. <br...@bg...> - 2003-07-25 15:12:30
|
Thus spake dann frazier (da...@de...): > There is definitely a lacking of ssh information in the manual, so > how about I add this in the Usage chapter, in its own section? Yes, yes, yes! I really like going in the direction similar to the Flamethrower chapter. Something like "HOWTO Use SSH for Secure Installs". > Brian: is what Anton describes currently the recommended procedure? > > On Thu, Jul 17, 2003 at 11:22:41PM +1200, Anton Smith wrote: > > Solved this for myself, and thought I'd post it here for everyone else. > > > > (just a reminder, this is for pulling images across to your server via ssh). > > > > 1) run prepareclient on your goldenclient as you usually do. Yes. > Immediately after it starts, ps -ef | grep for rsync and kill the daemon it started. Take note of the config file it used, most likely it will be in /tmp. > > 2) edit the rsync config file from above, and under [root], change it so it looks like this: > > > > auth users root > > path = / > > hosts allow = clientsiphere > > hosts deny = * > > > > This locks it down so that only root can log in and so that the only host that can connect is the client itself (we will be ssh tunneling so the packets will appear to come from the client itself, which is why this works). > > > > 3) run "rsync --daemon --config-file /tmp/rsyncd.conf.xxxxx". Tail /var/log/syslog to make sure the daemon came up okay and didn't complain about any of your new config changes (if it ignores any of your security lines then it will be listening for any host, which is a bad [tm] thing). This is not the intended use, but certainly you could do it this way. It is assumed that the client is firewalling everything but ssh to itself. Running the rsync daemon wide open is ok in this case, assuming that there are no malicious local users on the golden client. When you rung getimage, use the --ssh-user option, and the image will be retrieved using rsync over ssh. > > All of the following is on your image server: > > > > 4) Bring up the ssh tunnel: ssh -C -L localport:goldenclients_ip:873 root@goldenclients_ip and enter the root password. > > 5) Switch to another terminal on your imageserver (make sure you leave the ssh session you opened in step 4 open), and run getimage -golden-client localhost:localport -image imagename (make sure you use the same value for localport here as you did in step 4. It can be any port but ideally should be an ephemereal and not already in use. As an example I use 15000 but you could use whatever you like). > > 6) From here, it should be just like a normal getimage. When its all finished you can log out of your ssh session/tunnel, and you can also kill the rsync daemon on your golden client. All of the above is handled for you by getimage if you use the --ssh-user option. Also look at the details at the bottom of the local.cfg file for autoinstall related details. Anton, This was a clever way to figure out how to do this, and I wonder if the hosts allow and hosts deny options are something we should consider adding to prepareclient. Dann, what do you think? prepareclient --server HOSTNAME (option to add the host allow/deny params)? Also, Anton, can we put you down as an OFFICIAL_TESTER? And have you do the ssh testing when we do new releases? Cheers, -Brian > > > > Voila :) > > > > Regards, > > Anton > > > > -- --------------------------------------------------------- Brian Elliott Finley Phone: 630.803.8183 GPG: 3FF8 D096 0E0C D3F3 29B7 6518 D20B 1931 10F8 EE52 --------------------------------------------------------- |
|
From: dann f. <da...@hp...> - 2003-07-28 20:22:12
|
On Fri, Jul 25, 2003 at 10:10:52AM -0500, Brian Elliott Finley wrote: > This was a clever way to figure out how to do this, and I wonder if the > hosts allow and hosts deny options are something we should consider > adding to prepareclient. > > Dann, what do you think? prepareclient --server HOSTNAME (option to > add the host allow/deny params)? having an option that adds restriction options to the generated rsyncd.conf would make sense to me. |
Thanks for helping keep SourceForge clean.
X