[Beowulf] RE:small distro for PXE boot, autostarts sshd?

[Mark Hahn]

>> The only remaining complication, and it is a minor one, is that since
>> the remote system has a new set of keys each time it boots, on the
>> client one must delete the previous key or it won't connect because it
>> thinks it sees a man in the middle attack.

-ostricthostkeychecking=no or simply use ssh-keygen -R

> Depending on your circustances, instead of regenerating the system keys,
> you could put the system keys into the boel load so they never change.

definitely.  I've never heard of any scenario where using the same 
hostkey for multiple hosts was a serious risk.  obviously it matters 
more if you use shosts.equiv, and possibly if the network is spoofable.

> You could also put your public key into boel and change the config to:
>  PermitEmptyPasswords no
>  PasswordAuthentication no
> to ensure you and only you get to log in...

well, having staff pubkeys in the rescue net-boot image seems like 
a bit of a headache.  I suppose the build-net-boot-image script could
fetch them from ~root/.ssh/authorized_keys.

I feel a lot safer when I very rarely need to type a password.
(it does mean being mindful of which hosts are doing agent-forwarding.)