on sending a kerberos keytab to the client machine

Andreas B. Mundt andi.mundt at web.de
Mon Sep 3 22:40:08 CEST 2012


Hi,

from time to time it's necessary to distribute data securely to
clients from the FAI server.  This has been discussed before on this
list, c.f. for example [1] and replies.

I would like to present and 'ask for comments' on a way I figured out
last week. Perhaps it is well known, but I did not hear/read something
like that before. I have implemented it in the Debian-LAN setup [2]
now, and so far it works fine.
The advantage of the approach:  All action is kind of 'one-way', from
the central server to the clients. The clients need no additional
permissions on the server.

The idea is the following:  First, allow root from the faiserver to
login on all clients via public key authentication.  The
implementation is straight forward:  Create a ssh key pair and copy
the public key in the /root/.ssh/allowed_keys file of the FAI config
space and fcopy it to all clients.  Further more, copy it to the
nfsroot, so you can access the machine during installation already.

Now, the question is how to trigger copying the credentials, in my
case a kerberos keytab.  To do that, I use a script which is executed
on every lease of a machine 'known' to the dhcpd, i.e. its MAC address
is present in dhcpd.conf.  The script first checks if the
corresponding keytab has been scp'd before - if this is the case it,
exits immediately.  If the keytab is unused, it tries to scp the
keytab periodically within a given time to the client machine.

With this setup, the work flow installing machines is the following:

  * Add the MAC addresses of all machines to be installed to
    dhcpd.conf.  You have to make sure that nobody in the network
    can fake a MAC address if you do that by some automatic means.
  * Install the machines.  Make sure indeed all the machines that are
    in dhcpd.conf have been installed successfully and got their
    keytab.

That's it.  The nice thing about this method is that there is no need
to kind of 'activate' a machine more than once and copy kerberos
credentials 'by hand' after installation.  They are ready to use
mounting their home directories with sec=krb5*.

The root access to clients may also be useful for other features, for
example to run a softupdate scheduled from the central server.

Did I miss something?

Best regards,

     Andi


[1]<URL:https://lists.uni-koeln.de/pipermail/linux-fai/2012-February/009552.html>
[2]<URL:http://anonscm.debian.org/gitweb/?p=collab-maint/debian-lan.git;a=commitdiff;h=26195d508e65b22d0b1c4cbcae9c55d8e88ff169>


More information about the linux-fai mailing list