use encryption+authentication during configuring clients?
tt-fai at kky.ttu.ee
Mon Sep 22 10:58:31 CEST 2014
On Mon, 2014-09-22 at 09:35 +0200, Jan Bredereke wrote:
> Hi Robert,
> > > Thanks a lot. So the actual command is secured. In order to secure
> > > the NFS mount one can use NFS 4 which supports Kerberos for
> > > encryption and authentication.
> > Theoretically yes. In practice, I'm not sure if 'fai -N softupdate' does
> > support the 'sec=krb5p' option or if it allows fallback on this option
> > if the NFS server requests it. A quick glance through the FAI man pages
> > didn't reveal anything helpful in this regard.
> I just didn't find anything, either. So I don't know if I really
> could use Kerberos underlying NFS in this way.
One does not need to NFS-mount the configuration space. You can use
other methods of delivering it to the host.
In our installation, the configuration space is kept on a SVN server and
is checked out in read-only mode at a svn+http:// URL. Our network is
behind a firewall, so we use plain http, but https is also available,
after the necessary initial password(s) have been transferred (via any
of the means discussed earlier).
Afterwards, during softupdates, FAI updates the configuration space from
the SVN server automatically.
Look at FAI documentation and the scripts /usr/lib/fai/get-config-dir-*
for all the options available to get the config space, as well as the
parameters (such as passwords and keys) needed for a secure transfer.
More information about the linux-fai