Openssh ignore global known hosts

 Linux, SSH  No Responses »
Oct 252011
 

I use Bcfg2 to create and synchronize the /etc/ssh/ssh_known_hosts file across all the machines I manage. The result of this is that the known_hosts file actually contains useful information.

The one case where this bites me is when I want to boot from a live CD and image the drive on the machine itself. Booting into the live CD and starting sshd creates new keys which gives me this ugly message:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
69:38:ba:80:93:b8:2a:29:ec:b3:65:e2:40:da:78:54.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /etc/ssh/ssh_known_hosts:153
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,keyboard-interactive).

I don’t want to go to the trouble of editing the global known_hosts file since it actually contains correct information (and someone may want to use that before bcfg2 runs again). Therefore, I just want to temporarily disable checking of the file. I found a cool little option for ssh to do just that. It’s called GlobalKnownHostsFile and we can set it to /dev/null to temporarily turn off the feature.

ssh -o GlobalKnownHostsFile=/dev/null

You will probably want to use this in conjunction with the UserKnownHostsFile option so that the client doesn’t save the temporary key to your ~/.ssh/known_hosts.

 Posted by at 16:49

Preseeding Debian Wheezy

 Debian, Linux  2 Responses »
Oct 232011
 

UPDATE: In response to a comment below, I have added this warning to the top. Please do not use any of these files unmodified. They have been created/tested for my purposes and are meant to be guides which will help you understand how the Debian preseed process works.

In this post, I will walk through a simple preseed file that can be used to install a very minimal Debian (wheezy) machine in ~10 minutes (depending on the mirror used). The installer will only ask for the hostname. Everything else will be automated.

To get started, you will want to download the netboot ISO. You can get this from http://tinyurl.com/67nlk8q or any other Debian mirror. If all your machines are on the same network, it may make sense to setup gPXE. Details on that will be covered in a later post.

In order to use the preseed file outlined below, you will need to boot with the following appended options (press TAB at the installer screen). Note that the debugging variables are only necessary if you are having trouble.

DEBCONF_DEBUG=5 locale=en_US.UTF-8 console-keymaps-at/keymap=us domain=unassigned-domain url=http://www.siriad.com/preseed/wheezy.cfg

The first thing we will do is configure the networking settings necessary to automate the install.

##############
# Networking
##############

# Uncomment and fill in these in order to preseed the hostname question
#d-i netcfg/get_hostname string unassigned-hostname
#d-i netcfg/get_domain string unassigned-domain
d-i netcfg/choose_interface select eth0
d-i mirror/http/proxy string

I am pointing to the default US Debian archive. You should change this to suit your setup. Also note that here is where we tell the installer to use the “wheezy” installation sources.

########################
# Installation Sources
########################

d-i mirror/country string US
d-i mirror/http/mirror string ftp.us.debian.org
d-i mirror/http/directory string /debian/
d-i mirror/suite string wheezy

Here, I am using the default partitioning scheme and wiping any existing partitions. You may need to change this if you want custom partitions.

#################################
# Disk Partitioning/Boot loader
#################################

d-i partman-auto/disk string /dev/sda
#d-i partman-auto/method string lvm
d-i partman-auto/method string regular
d-i partman-auto/purge_lvm_from_device boolean true

# And the same goes for the confirmation to write the lvm partitions.
#d-i partman-lvm/confirm boolean true

# You can choose from any of the predefined partitioning recipes.
# Note: this must be preseeded with a localized (translated) value.
#d-i partman-auto/choose_recipe \
#       select All files in one partition (recommended for new users)
d-i partman-auto/choose_recipe select /lib/partman/recipes/30atomic
#d-i partman-auto/choose_recipe \
#       select Separate /home partition
#d-i partman-auto/choose_recipe \
#       select Separate /home, /usr, /var, and /tmp partitions

# This makes partman automatically partition without confirmation.
d-i partman/confirm_write_new_label boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true

d-i grub-installer/only_debian boolean true
d-i grub-installer/with_other_os boolean true
d-i grub-pc/install_devices multiselect /dev/sda

Once again, your localization settings will likely differ from these, so modify as needed.

#################
# Localizations
#################

# Keyboard localization
d-i console-keymaps-at/keymap select us
#d-i console-setup/variantcode string dvorak

# Timezone
d-i clock-setup/utc boolean true
d-i time/zone string America/Chicago

d-i apt-setup/wheezy-updates boolean true
d-i apt-setup/non-free boolean true
d-i apt-setup/security-updates boolean true
d-i apt-setup/contrib boolean true

I usually don’t setup a default user when I install servers. These settings just create a root user (with login capabilities) having the password ‘r00tme’. You will not want to use this preseed file unmodified if your machine is connected directly to the internet. You can also configure preseed with a crypted root password, but I still recommend changing it once the install is complete.

#################
# User Creation
#################

d-i passwd/root-login boolean true
d-i passwd/make-user boolean false
d-i passwd/root-password password r00tme
d-i passwd/root-password-again password r00tme
d-i user-setup/allow-password-weak boolean true
d-i user-setup/password-weak boolean true

Setup Bcfg2 to do the post-install business (will be covered in a later post).

#######################
# Software Selections
#######################

tasksel tasksel/first multiselect
d-i pkgsel/include string openvpn vim openssh-server
d-i base-installer/install-recommends boolean false
d-i popularity-contest/participate boolean false

# don't try and do automatic updates; that's bcfg2's job
d-i pkgsel/update-policy select none

d-i finish-install/reboot_in_progress note

d-i preseed/late_command string \
in-target wget http://www.siriad.com/preseed/postinst.sh -O /root/postinst.sh; \
in-target /bin/bash /root/postinst.sh
 Posted by at 17:18