distributing keytab to install clients

[Russ Allbery]

"Andreas B. Mundt" <andi.mundt at web.de> writes:

> Right now, I scp the keytab manually after the installation, i.e. the
> client has to be 'activated' by copying the keytab.  Of course it would
> be nice to do that automatically within the installation process without
> exposing all keytabs.

> Any ideas how to do that best?

You want some sort of initial leap-of-faith authentication of a newly
built system, probably based on IP address, that lets it authenticate to a
service that provides the keytab.

Several of us in the Kerberos community have been kicking around ways to
do this for a while.  The best plan that I've heard (from Nico Williams)
is to provide a keying service, either via kadmind or some front-end to
it, that allows anonymous PKINIT to do a one-time download of a key and
then locks out any subsequent anonymous authentication.  But this is all
still design-phase and there isn't a working system so far as I know.

I think what I'd do as a short-term solution is to install an ssh private
key on the newly built system that lets you authenticate to an account on
the system with the keytabs, limited to running a particular command.
That command can check the IP address that's connecting, map that to the
appropriate keytab, and then cat the keytab to stdout, marking it as
having been installed so that this step can't be done more than once
without an intervening system build.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>