on sending a kerberos keytab to the client machine

Thomas Lange lange at informatik.uni-koeln.de
Mon Sep 24 18:58:25 CEST 2012


>>>>> On Mon, 3 Sep 2012 22:40:08 +0200, "Andreas B. Mundt" <andi.mundt at web.de> said:

    >   * Add the MAC addresses of all machines to be installed to
    >     dhcpd.conf.  You have to make sure that nobody in the network
    >     can fake a MAC address if you do that by some automatic means.

    > Did I miss something?
Yes. You _can_ fake MAC addresses easily :-(
I don't know how to prevent this. Maybe setting fixed MAC addresse on
every port of your switch. But this will be a lot of work, and some
(or maybe most) switches can be fooled by MAC address flooding.

IMO the only really secure way is to enter some secret on every
machine, for creating a secure and encrypted communication channel to
the install server. But even then, you have to trust into the person
how enters the secret on every machine.

-- 
regards Thomas


More information about the linux-fai mailing list