use encryption+authentication during configuring clients?

Jan Bredereke jan.bredereke at
Mon Sep 22 09:35:14 CEST 2014

Hi Robert,

> > Thanks a lot. So the actual command is secured. In order to secure
> > the NFS mount one can use NFS 4 which supports Kerberos for
> > encryption and authentication.
> Theoretically yes. In practice, I'm not sure if 'fai -N softupdate' does
> support the 'sec=krb5p' option or if it allows fallback on this option
> if the NFS server requests it. A quick glance through the FAI man pages
> didn't reveal anything helpful in this regard.

I just didn't find anything, either. So I don't know if I really
could use Kerberos underlying NFS in this way.

> Perhaps when establishing an Kerberos NFSv4 mount *before* running the
> fai softupdate would trick FAI into using the already established,
> secure connection? I'm not sure and it scales badly.

Maybe, you could have a permanent NFSv4 mount, and then set
FAI_CONFIG_SRC to some file://path URL? In this way, you would avoid
the costs of repeatedly setting up the secure connection. The server
would have to handle a large number of mounts, but most of them
would be silent most of the time.

> Regarding the deployment of crypto keys: Many people use FAI with
> Cfengine. FAI installs the base system and then Cfengine handles all the
> rest. Granted, the learning curve of Cfengine is steep, but it can do
> *everything* for you, leading to a complete hands-off configuration
> management - including the secure distribution of secrets, if done right
> (the Cfengine protocol is always encrypted btw.).

Yes. I know someone who uses FAI with Puppet in a similar way. (He
did not use CfEngine because he needed LDAP support, and that is
available in the commercial version of CfEngine only.)


Prof. Dr. Jan Bredereke
Hochschule Bremen, Fak. 4, Flughafenallee 10, D-28199 Bremen.

More information about the linux-fai mailing list