use encryption+authentication during configuring clients?

Jan Bredereke jan.bredereke at hs-bremen.de
Mon Sep 22 09:35:14 CEST 2014


Hi Robert,

> > Thanks a lot. So the actual command is secured. In order to secure
> > the NFS mount one can use NFS 4 which supports Kerberos for
> > encryption and authentication.
> Theoretically yes. In practice, I'm not sure if 'fai -N softupdate' does
> support the 'sec=krb5p' option or if it allows fallback on this option
> if the NFS server requests it. A quick glance through the FAI man pages
> didn't reveal anything helpful in this regard.

I just didn't find anything, either. So I don't know if I really
could use Kerberos underlying NFS in this way.

> Perhaps when establishing an Kerberos NFSv4 mount *before* running the
> fai softupdate would trick FAI into using the already established,
> secure connection? I'm not sure and it scales badly.

Maybe, you could have a permanent NFSv4 mount, and then set
FAI_CONFIG_SRC to some file://path URL? In this way, you would avoid
the costs of repeatedly setting up the secure connection. The server
would have to handle a large number of mounts, but most of them
would be silent most of the time.

> Regarding the deployment of crypto keys: Many people use FAI with
> Cfengine. FAI installs the base system and then Cfengine handles all the
> rest. Granted, the learning curve of Cfengine is steep, but it can do
> *everything* for you, leading to a complete hands-off configuration
> management - including the secure distribution of secrets, if done right
> (the Cfengine protocol is always encrypted btw.).

Yes. I know someone who uses FAI with Puppet in a similar way. (He
did not use CfEngine because he needed LDAP support, and that is
available in the commercial version of CfEngine only.)

Regards,
Jan

-- 
Prof. Dr. Jan Bredereke
Hochschule Bremen, Fak. 4, Flughafenallee 10, D-28199 Bremen.


More information about the linux-fai mailing list