Hello,

Thank you for the replies! I tried to replicate your setup with the following;

[root@cobbler ~]# cat /var/lib/cobbler/triggers/install/post/chef-key.sh

#!/bin/bash

/usr/bin/scp -i /root/.ssh/id_rsa -o "StrictHostKeyChecking no" -p /root/chef.key ${3}:/root/chef.key

Using Ubuntu 16.04 preseed with the following post install commands;

d-i preseed/late_command string in-target /usr/bin/ssh-keygen -f /root/.ssh/id_rsa -t rsa -N '' ; \

   echo 'ssh-rsa $COBBLER_PUBLIC_KEY cobbler' > /target/root/.ssh/authorized_keys ; \

   mkdir -p /target/var/run/sshd ; \

   in-target /usr/sbin/sshd ; \

   wget -O- http://$http_server/cblr/svc/op/script/$what/$name/?script=preseed_late_default | chroot /target /bin/sh -s ; \

   in-target wget http://$http_server/xenial-sources.list -O /etc/apt/sources.list ;

However I am getting a lost connection whenever it tries to run the post trigger;

Tue Nov  1 23:41:58 2016 - DEBUG | running shell triggers from /var/lib/cobbler/triggers/install/post/*

Tue Nov  1 23:41:58 2016 - DEBUG | running shell trigger /var/lib/cobbler/triggers/install/post/chef-key.sh

Tue Nov  1 23:41:58 2016 - INFO | running: ['/var/lib/cobbler/triggers/install/post/chef-key.sh', 'system', 'cobbler-test', '192.168.1.50']

Tue Nov  1 23:42:13 2016 - INFO | received on stdout:

Tue Nov  1 23:42:13 2016 - DEBUG | received on stderr: ssh_exchange_identification: read: Connection reset by peer

lost connection

I inserted a sleep after the final post command and I could manually run the scp command fine while the system was still in the "running preseed" stage.

[root@cobbler ~]# /var/lib/cobbler/triggers/install/post/chef-key.sh system cobbler-test 192.168.1.50

...

Add correct host key in /root/.ssh/known_hosts to get rid of this message.

Offending ECDSA key in /root/.ssh/known_hosts:1

Password authentication is disabled to avoid man-in-the-middle attacks.

Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.

chef.key                                                                                                                                           100% 1679     1.6KB/s   00:00

Thanks for your help!

On Wed, Oct 26, 2016 at 6:51 PM, Orion Poplawski <orion@cora.nwra.com> wrote:

On 10/25/2016 09:49 PM, Tyler Wilson wrote:

Hey All,

New Cobbler user here. What is the best method of ensuring deployed
nodes have sensitive keys (chef keys, ssh, etc) securely uploaded when
completed? Am I able to send them securely from the cobbler host somehow?

Thanks for any and all tips!

I fire up sshd on my target system in %post:

#  Create temporary host key(s)
#   EL7
/usr/sbin/sshd-keygen
#   Fedora
/usr/libexec/openssh/sshd-keygen rsa
#  Start sshd so that we can copy over the ansible key in the cobbler post trigger
/usr/sbin/sshd

Then I have a cobbler install trigger copy the ssh key over:

# cat /var/lib/cobbler/triggers/install/post/ansible_key
#!/bin/bash
[ "$1" = system ] &&
  /usr/bin/scp -i /root/.ssh/id_rsa_cobbler -o "StrictHostKeyChecking no" -p /root/.ssh/id_rsa_ansible ${2}:/root/.ssh/id_rsa_ansible


I suppose someone could the activate the trigger directly and receive the key, but this is the best that I was able to come up with.


--
Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA/CoRA Division                    FAX: 303-415-9702
3380 Mitchell Lane                  orion@cora.nwra.com
Boulder, CO 80301              http://www.cora.nwra.com

_______________________________________________
cobbler mailing list -- cobbler@lists.fedorahosted.org
To unsubscribe send an email to cobbler-leave@lists.fedorahosted.org