This is a discussion on How to distribute passwords at install time - Unix ; Ladies and Gentlemen of the Newsgroup, I'm currently setting up a new infrastructure for a bunch of Unix boxes (When finished, it'll be a mix of Debian Linux and AIX machines). This is done by network booting the things and ...
Ladies and Gentlemen of the Newsgroup,
I'm currently setting up a new infrastructure for a bunch of Unix boxes
(When finished, it'll be a mix of Debian Linux and AIX machines). This
is done by network booting the things and installing them with FAI or
NIM. The only user interaction I want on this is for me to tell the box
to go reinstall itself.
I've chosen LDAP/Samba/Winbind as my authentication method because that
way, both Unix and Windows can authenticate off the same server. All
of my servers are/will be running Samba. Now when installing Samba,
there are two commands that need a password specified on the command
line if you are going to do them non-interactively:
# smbpasswd -w [topsecretpassword]
# net rpc join -U Administrator%[topsecretpassword]
Logging in on the things and typing the passwords by hand is out of the
question for a non-interactive installation. I may have to install
hundreds of the things, or the same machine hundreds of times. So
there's no escaping the fact that I'll need to put a password in a
plaintext file somewhere; suitably chmodded to 600 in a hidden
directory, deleted when no longer needed and so on. So how do I do
this? I can't just put the file on an NFS volume for all takers. At
this stage, the machine doesn't have any SSH trust set up. It isn't
even a known_host.
The best I can come up with at the moment is to have a prel script on
the management/install server watch the output of faimond, and push out
the file using ssh at the appropriate moment. This setup would be
vulnerable to IP spoofing, but most things would be.
Undoubtedly, some of you have faced the same problem when installing
server farms. What are your thoughts on the subject?
 Of course, a True Redmondian AD server is still needed because
People Are Stupid, but Rome wasn't burnt in one day.