distributing keytab to install clients

Brian Kroth bpkroth at gmail.com
Thu Feb 16 23:00:23 CET 2012

There's a similar challenge with distributing cfengine keys securely.  
We did this by writing a simple SSL authenticated perl script attached to 
the network via inetd that the fai clients would use to phone home to 
the cfmaster server to get their keys.  I imagine you could do something 
similar with keytabs.  Or, have cfengine distribute them via encrypted 
copy rules.


Andreas B. Mundt <andi.mundt at web.de> 2012-02-16 22:54:
> Hi everybody!
> In my setup I would like to copy an indiviual kerberos keytab to the
> install clients during or at the end of the installation process. The
> keytab is needed to mount the kerberized home directories.  For
> security reasons, I do not want to keep all the keytabs in the
> nfsroot and pick the one for the corresponding client when installing.
> Right now, I scp the keytab manually after the installation, i.e. the
> client has to be 'activated' by copying the keytab.  Of course it
> would be nice to do that automatically within the installation
> process without exposing all keytabs.
> Any ideas how to do that best?
> Best regards,
>     Andi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20120216/c86c5a85/attachment.bin>

More information about the linux-fai mailing list