First of all you need to create a boot package (kernel + initrd.img) and include
the SSH private key directly into the initrd.img. For this the boot over PXE is
strongly discuraged in this case, because kernel and initrd.img are not
encrypted during the transmission to the clients with TFTP.
To create the boot package with BOEL run the following command:
# mkdir /tmp/boot-package
# si_mkbootpackage --destination /tmp/boot-package --kernel \
/usr/share/systemimager/boot/i386/standard/kernel --filesystem cramfs \
--ssh-key ~foo/.ssh/id_dsa --yes |
Remember to replace i386 with the architecture of your clients to get the
correct kernel (e.g. x86_64).
Or if you want to use UYOK:
# mkdir /tmp/boot-package
# si_mkbootpackage --destination /tmp/boot-package --image YOUR_IMAGE \
--ssh-key ~foo/.ssh/id_dsa --yes |
This command will create the boot package in /tmp/boot-package and it will
include the SSH private key of the user "foo" into the initrd.
To enable the passwordless login for for the user "foo" run the command:
$ cat ~foo/.ssh/id_dsa.pub >> ~foo/.ssh/authorized_keys |
In a similar way you can also use the --ssh-key with
si_prepareclient in
your golden client. In this case you don't need to create the boot package in
your image server, simply use kernel + initrd.img generated by
si_prepareclient.