use encryption+authentication during configuring clients?
Jan Bredereke
jan.bredereke at hs-bremen.de
Mon Sep 22 11:26:59 CEST 2014
Am 22.09.2014 schrieb Toomas Tamm:
> On Mon, 2014-09-22 at 09:35 +0200, Jan Bredereke wrote:
> > > > Thanks a lot. So the actual command is secured. In order to secure
> > > > the NFS mount one can use NFS 4 which supports Kerberos for
> > > > encryption and authentication.
> > > Theoretically yes. In practice, I'm not sure if 'fai -N softupdate' does
> > > support the 'sec=krb5p' option or if it allows fallback on this option
> > > if the NFS server requests it. A quick glance through the FAI man pages
> > > didn't reveal anything helpful in this regard.
> >
> > I just didn't find anything, either. So I don't know if I really
> > could use Kerberos underlying NFS in this way.
>
> One does not need to NFS-mount the configuration space. You can use
> other methods of delivering it to the host.
>
> In our installation, the configuration space is kept on a SVN server and
> is checked out in read-only mode at a svn+http:// URL. Our network is
> behind a firewall, so we use plain http, but https is also available,
> after the necessary initial password(s) have been transferred (via any
> of the means discussed earlier).
>
> Afterwards, during softupdates, FAI updates the configuration space from
> the SVN server automatically.
>
> Look at FAI documentation and the scripts /usr/lib/fai/get-config-dir-*
> for all the options available to get the config space, as well as the
> parameters (such as passwords and keys) needed for a secure transfer.
Your are right. Working from a local copy of the config space is
another option, and it answers the security demands nicely. I can
get the local copy in many ways, even plain rsync over ssh. As you
pointed out, the necessary keys/credentials must have been deployed
before.
Regards,
Jan
--
Prof. Dr. Jan Bredereke
Hochschule Bremen, Fak. 4, Flughafenallee 10, D-28199 Bremen.
More information about the linux-fai
mailing list