use encryption+authentication during configuring clients?

[Robert Markula]

Hi Jan,

> Thanks a lot. So the actual command is secured. In order to secure
> the NFS mount one can use NFS 4 which supports Kerberos for
> encryption and authentication.
Theoretically yes. In practice, I'm not sure if 'fai -N softupdate' does
support the 'sec=krb5p' option or if it allows fallback on this option
if the NFS server requests it. A quick glance through the FAI man pages
didn't reveal anything helpful in this regard.
Perhaps when establishing an Kerberos NFSv4 mount *before* running the
fai softupdate would trick FAI into using the already established,
secure connection? I'm not sure and it scales badly.

> Did anyone actually try such a fully secured setup and can report here?
>
> As for the initial installation process, I suppose it cannot be
> secured fully. You would have to transfer the crypto keys to the
> clients without using the network, i.e., manually. As far as I have
> seen, FAI does not provide mechanisms for this.
Right, you cannot secure the installation process. The TFTP protocol
specification does not allow that (besides from practical challenges),
and if using initramfs you are even stuck with NFSv3.

Regarding the deployment of crypto keys: Many people use FAI with
Cfengine. FAI installs the base system and then Cfengine handles all the
rest. Granted, the learning curve of Cfengine is steep, but it can do
*everything* for you, leading to a complete hands-off configuration
management - including the secure distribution of secrets, if done right
(the Cfengine protocol is always encrypted btw.).

Cheers,

Robert