use encryption+authentication during configuring clients?

Jan Bredereke jan.bredereke at hs-bremen.de
Fri Sep 19 13:52:03 CEST 2014


Hi René,

Thanks for the quick response.

> >I am currently evaluating FAI and have a question which I could not
> >answer from the documentation:
> >
> >When I use FAI for configuring some (already installed) clients, can
> >I have the communication encrypted? And can I have authentication?
> >If the communication can run over Ssh, the the answer to both would
> >be "yes". But I did not find anything on how the actual low-level
> >communication is done during configuring a client.
> 
> at least in my case yes to both
> 
> I operate a FAI wheezy server with a bunch of wheezy workstations.
> For softupdates (which may contain some re-configurations), I
> connect to the workstations with ssh and start the softupdate with
> "fai -N softupdate".
> Then the config space is mounted from the server (nfs) and fai
> performs the necessary updates.
> 
> => To automatize it, I have a perl-routine which starts a parallel
> softupdate on all hosts.
> The routine basically opens an ssh-session on each host and executes
> "fai -N softupdate".
> For the passwords, an "expect" template is used. I only have to
> enter the password at the beginning, then expect will automatically
> handle it for each parallel ssh-session.

Thanks a lot. So the actual command is secured. In order to secure
the NFS mount one can use NFS 4 which supports Kerberos for
encryption and authentication.

Did anyone actually try such a fully secured setup and can report here?

As for the initial installation process, I suppose it cannot be
secured fully. You would have to transfer the crypto keys to the
clients without using the network, i.e., manually. As far as I have
seen, FAI does not provide mechanisms for this.

Best regards,
Jan

-- 
Prof. Dr. Jan Bredereke
Hochschule Bremen, Fak. 4, Flughafenallee 10, D-28199 Bremen.


More information about the linux-fai mailing list