Transient secrets

[Markus Köberl]

On Thursday, 7 July 2022 08:12:54 CEST Diego Zuccato wrote:
> Hi all.
> 
> Is there a preferred way to pass a (different) secret to every host
> being installed?
> 
> Something to implement a workflow like:
> - admin asks Salt to (re)install a host
> - salt handles shutdown and switch reconfiguration (OT)
> - salt tells FAIserver to enable install of given host
> - FAI generates the secret and passes it back to Salt (or Salt generates
> the secret and passes it to FAI, as long there's a shared secret)
> - the host boots via network and installs as usual, saving/using the
> given secret
> - FAI (or the reinstalled host) tells Salt reinstall is complete and
> Salt "cleans up" (reconfig switches & so on) (OT)
> 
> The only "solution" I could find is to save the secret in
> /srv/tftp/fai/pxelinux.cfg/C0A8xxyy in append line, like FAI_FLAGS,
> FAI_CONFIG_SRC and FAI_ACTION, but since append line can be at most 255
> chars there's not much space... I's good just for very small "secrets"
> (that gets transferred in the clear, hence the need to reconfigure the
> switches).

I am asking at the beginning (with a script in `class` using dialog) for 
username and password for the salt api and save a cookie which I later use in 
a script to get the salt key for the host.

The relevant part in the cookie contains of 97 chars and base64 encoded it 
gets 134 chars therefore it might still be too long. Maybe encrypt the cookie 
file and pass the password for decryption which could be short enough.  Or just 
make the time the cookie is valid very short.


regards
Markus Köberl
-- 
Markus Koeberl
Graz University of Technology
Signal Processing and Speech Communication Laboratory
E-mail: markus.koeberl at tugraz.at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5866 bytes
Desc: not available
URL: <http://lists.uni-koeln.de/pipermail/linux-fai/attachments/20220713/0cd107cd/attachment.p7s>