Provide Support for Public Key/Authorized Keys-based Authentication When Password Seeding in Preseed is Undesirable

Bug #184108 reported by Matt T. Proud
8
Affects Status Importance Assigned to Milestone
network-console (Ubuntu)
Fix Released
Wishlist
Colin Watson

Bug Description

Binary package hint: network-console

Hi,

I have a compelling use case that necessitates using the network-console during the install but requires that the method of authentication is done by public key/authorized keys instead of by means of passing a password to the machine in debconf preseeding.

Instead of taking a messy approach of writing in support in an early or late command, I have written a patch that adds this support to Debian-Installer.

Attached to this bug is a debdiff patch to the network-console source package that adds public key/authorized keys support to network-console.

If network-console is included in the Debian-Installer initrd, not a requirement for this patch's inclusion, it will create a menu item shortly after the network has been configured and ask for some some additional authentication information. The debconf question priorities are reasonable, so little interference is to be expected; and again, this will only affect installers that have explicitly included the network-console udeb in Debian-Installer, which means only people who have manually rebuilt Debian-Installer.

The exact character of the changes is that an additional debconf question is asked that inquires if there is an URL from which to download a list of public keys that the network-console is to allow. The reason that I took this approach instead of merely providing a freetext debconf field is that this decouples the key from debconf, and it results in cleaner preseed files. Not only that, it allows the enterprising systems engineer to write a HTTP dispatcher that can dynamically determine which public keys the to-be-installed machine accepts.

This is probably most useful to systems administrators and engineers who are engaging in mass- and remote-deployment applications of Ubuntu server and workstation.

I have tested this out with the latest Debian-Installer, and everything appears to work as expected. I plan on submitting this upstream into Debian within the next few weeks. Since the code freeze for the Hardy Heron release is fast I approaching, I am submitting this patch to Ubuntu first in hopes that it can be ushered in very quickly. I will be working with my friends involved with Debian project to get this included in the near future to keep the amount of delta between the two projects low.

I have even included internationalization support in the new things that I have added.

Let me know if you have any questions. Let's do what we can to get this incorporated relatively quickly.

Cheers,

Matt

Revision history for this message
Matt T. Proud (matttproud-google) wrote :
Revision history for this message
Colin Watson (cjwatson) wrote :

I'd be happy to push this into Debian for you as part of reviewing it. For translation changes, this is actually the most convenient way for me to do it.

Changed in network-console:
assignee: nobody → kamion
importance: Undecided → Wishlist
status: New → Confirmed
Revision history for this message
Matt T. Proud (matttproud-google) wrote :

Certainly, Colin. That would be very helpful. Thank you very much!

Revision history for this message
Colin Watson (cjwatson) wrote :

d-i upstream is currently in a string freeze, so I think at the moment it is best to do this just in Ubuntu and simply omit internationalisation for the time being. I have queued this up in my Debian working tree for after the d-i beta release.

Some comments on your patch:

  * Please try to avoid changing tab widths, and stick with the tab width already used in the file you're editing. Changing everything from hard tabs to two-space tabs made the patch much harder to read.

  * On a similar note, I think it's best to omit automatic changes to .po files from patches, and simply include directions on how to reproduce them. They make the patch very large and hard to read. In the case of submitting patches to d-i, they should always be omitted since the d-i project has its own automatic systems for keeping .po files up to date and does not expect them to be touched by developers.

  * My inclination is that network-console/authorized_keys_url should not be asked at all, but simply provided for preseeding. (Thus, omit db_input and db_go, and just leave the db_get in there.) I can't really imagine the sorts of people who would want this stepping all the way through in expert mode, and your own description mentions preseeding rather than interactive use. Do you agree?

  * I made some trivial quoting changes, and adjusted the text of the retrieval failure error to make use of a common "see syslog"-type string in order to allow sharing translations with other parts of d-i.

  * ssh itself creates ~/.ssh as mode 0700; I don't think it actually matters much but I changed that from 0755. Conversely, it's perfectly fine for authorized_keys to be 0644. (None of this really makes a lot of difference in d-i, of course.)

  * The retrieval error message should have the URL substituted into it, and should actually be displayed using db_go. I think that network-console should also bail out if this error occurs, rather than continuing merrily along.

  * Preseed files are fetched using 'wget -q'; I think this should be the same.

I've attached the updated patch for your reference. The rest of it looks fine to me, and I'll upload this to Hardy shortly. Thanks a lot!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package network-console - 1.13ubuntu1

---------------
network-console (1.13ubuntu1) hardy; urgency=low

  [ Matt T. Proud ]
  * Add support for public-key authentication (LP: #184108).

 -- Colin Watson <email address hidden> Mon, 04 Feb 2008 15:20:56 +0000

Changed in network-console:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.