Hey All, New Cobbler user here. What is the best method of ensuring deployed nodes have sensitive keys (chef keys, ssh, etc) securely uploaded when completed? Am I able to send them securely from the cobbler host somehow? Thanks for any and all tips!

Hello, Thank you for the replies! I tried to replicate your setup with the following; [root@cobbler ~]# cat /var/lib/cobbler/triggers/install/post/chef-key.sh #!/bin/bash /usr/bin/scp -i /root/.ssh/id_rsa -o "StrictHostKeyChecking no" -p /root/chef.key ${3}:/root/chef.key Using Ubuntu 16.04 preseed with the following post install commands; d-i preseed/late_command string in-target /usr/bin/ssh-keygen -f /root/.ssh/id_rsa -t rsa -N '' ; \ echo 'ssh-rsa $COBBLER_PUBLIC_KEY cobbler' > /target/root/.ssh/authorized_keys ; \ mkdir -p /target/var/run/sshd ; \ in-target /usr/sbin/sshd ; \ wget -O- http://$http_server/cblr/svc/op/script/$what/$name/?script=preseed_late_default | chroot /target /bin/sh -s ; \ in-target wget http://$http_server/xenial-sources.list -O /etc/apt/sources.list ; However I am getting a lost connection whenever it tries to run the post trigger; Tue Nov 1 23:41:58 2016 - DEBUG | running shell triggers from /var/lib/cobbler/triggers/install/post/* Tue Nov 1 23:41:58 2016 - DEBUG | running shell trigger /var/lib/cobbler/triggers/install/post/chef-key.sh Tue Nov 1 23:41:58 2016 - INFO | running: ['/var/lib/cobbler/triggers/install/post/chef-key.sh', 'system', 'cobbler-test', '192.168.1.50'] Tue Nov 1 23:42:13 2016 - INFO | received on stdout: Tue Nov 1 23:42:13 2016 - DEBUG | received on stderr: ssh_exchange_identification: read: Connection reset by peer lost connection I inserted a sleep after the final post command and I could manually run the scp command fine while the system was still in the "running preseed" stage. [root@cobbler ~]# /var/lib/cobbler/triggers/install/post/chef-key.sh system cobbler-test 192.168.1.50 ... Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /root/.ssh/known_hosts:1 Password authentication is disabled to avoid man-in-the-middle attacks. Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks. chef.key 100% 1679 1.6KB/s 00:00 Thanks for your help! On Wed, Oct 26, 2016 at 6:51 PM, Orion Poplawski <orion(a)cora.nwra.com&gt; wrote: > On 10/25/2016 09:49 PM, Tyler Wilson wrote: > >> Hey All, >> >> New Cobbler user here. What is the best method of ensuring deployed >> nodes have sensitive keys (chef keys, ssh, etc) securely uploaded when >> completed? Am I able to send them securely from the cobbler host somehow? >> >> Thanks for any and all tips! >> > > I fire up sshd on my target system in %post: > > # Create temporary host key(s) > # EL7 > /usr/sbin/sshd-keygen > # Fedora > /usr/libexec/openssh/sshd-keygen rsa > # Start sshd so that we can copy over the ansible key in the cobbler > post trigger > /usr/sbin/sshd > > Then I have a cobbler install trigger copy the ssh key over: > > # cat /var/lib/cobbler/triggers/install/post/ansible_key > #!/bin/bash > [ "$1" = system ] && > /usr/bin/scp -i /root/.ssh/id_rsa_cobbler -o "StrictHostKeyChecking no" > -p /root/.ssh/id_rsa_ansible ${2}:/root/.ssh/id_rsa_ansible > > > I suppose someone could the activate the trigger directly and receive the > key, but this is the best that I was able to come up with. > > > -- > Orion Poplawski > Technical Manager 303-415-9701 x222 > NWRA/CoRA Division FAX: 303-415-9702 > 3380 Mitchell Lane orion(a)cora.nwra.com > Boulder, CO 80301 http://www.cora.nwra.com > > _______________________________________________ > cobbler mailing list -- cobbler(a)lists.fedorahosted.org > To unsubscribe send an email to cobbler-leave(a)lists.fedorahosted.org >