on sending a kerberos keytab to the client machine
Michał Dwużnik
michal.dwuznik at gmail.com
Tue Sep 25 17:49:00 CEST 2012
On Tue, Sep 25, 2012 at 4:41 PM, David Magda <dmagda at ee.ryerson.ca> wrote:
> On Tue, September 25, 2012 03:02, Toomas Tamm wrote:
>
> > Getting all this data into machine-readable form and onto your FAI
> > server may well involve a lot more manual labour than typing an unique
> > secret into each machine at install time...
> [...]
>
> Depending on your hardware vendor, it may be possible to get a spreadsheet
> of serial numbers, which could then be accessed during installation via
> dmidecode.
>
>
My point exactly -> the list of _some_ usable 'UUIDs' comes with the
shipping documents -> no matter whether it's MAC list, component serials,
service tags, asset tags, whatever vendors call it.
It's next to trivial (putting aside 'physical security') to unplug a real
client, plug whatever HW with a prepared virtual machine with real client's
MAC.
Compared to that, fooling dmidecode/smartctl running on a 'swapped' client
to return values consistent with real client is, as far as I know, mighty
nontrivial (given the live system booted from elsewhere via PXE).
Does anyone have any idea on ho would I prepare e.g. a virtual machine
pretending to have a disk with S/N of xxxxyyyy?[1]
for the sake of security _and_ easy 'fingerprint' data collection I would
think of a combination of vendor S/N (fine for 'major vendors') with
lsusb/lspci answer ('list of devices identical to known good station' is
pretty good for 'it's a legit station').
The former is obtainable from shipping list/barcodes, the latter from the
first tried machine of the batch of identical ones delivered.
Regards
Michal
PS:Sorry if I'm too tied to 'those are machines for the new lab' scenario...
[1]Though I do still remember the ways of fooling the license server of
$BIGCOMPANY software with $BIGNUM pricetag on Solaris and HPUX using
theoretically immutable 'hostids'. Hardware failures don't play well with
'ok, you need to move your license server, this will take up to three
months, wait for new license files'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20120925/79530763/attachment.html>
More information about the linux-fai
mailing list