On Tue, Sep 3, 2013 at 4:50 PM, Dmitri Pal <d...@redhat.com> wrote: > On 09/03/2013 04:21 AM, Innes, Duncan wrote: > > Hi folks, > > I've got a question about kickstart enrollment with a one-time password. > Namely, is there any way that it can be done *without* the one-time > password. We're comfortable with the pre-creation of the host in IPA, > but just wonder if there's a way to enrol without the one-time password. > > The estate is Red Hat (mostly 6) and we deploy systems via kickstart from > the Satellite. Can the Satellite push out a certificate from the IPA > system that would allow client to enrol without the OTP? Our enrollment > script runs as part of the kickstart postinstall with the OTP effectively > sitting in plain text in the script. Removing the OTP would remove the > plain text authentication from this script, but I may be opening other > security holes as a result. > > Hello, > > > There have been 3 ways about how the host can be enrolled: > a) High level admin using his credential (no need to have a pre-created > host) > b) Lower level admin using his credential (requires a pre-created host) > c) OTP based (requires a pre-created host) > > All provisioning methods that use static kickstart files would have to > have something injected into the kickstart. OTP is the safest and if leaked > can be used to only provision this specific system. The fact that OTP was > stolen can be detected easily by having a failed enrollment of the valid > system combined with IPA logs indicating that there was a successful > enrollment of the new host with the same name. The fact that intruder was > able to join a machine into IPA domain does not escalate his privileges > against other systems and since it can be easily caught it is a risk but > not a huge one. > > The right approach of cause is not to have the OTP stored in kickstart but > rather parameterized in some way. In Satellite 6 (that we are looking at) > this will be done via Foreman and its smart proxies. The design is not > polished yet but we hope that we would be able to limit the exposure of the > OTPs there. > > Also a new provisioning method has been added in FreeIPA 3.2 mostly for > re-provisioning - ability to provision if you already have a keytab. > This method will be sort of equivalent to what you are asking with a cert. > But instead of the cert you would need to get keytab first by creating a > host and then using ipa-getkeytab command and passing keytab to the > kickstart. That can be done now and would address the issue you are > concerned about. > Hi Dimitri (or anyone who knows),
Is there anyway except for waiting for RHEL 6.5 to get FreeIPA 3.2+ running in production? Really keen to get the re-provisioning functionality up and running but don't want to run it on Fedora. Also can you generate a keytab with ipa-getkeytab before you enrol a host, possibly when you add a host to the ipa-server for the first time? Or is the pattern provision with OTP first then backup keytab and provision with keytab after? Thanks, Charlie > > > HTH > > Thanks, > Dmitri > > Cheers > > Duncan Innes > > > This message has been checked for viruses and spam by the Virgin Money > email scanning system powered by Messagelabs. > > > > This e-mail is intended to be confidential to the recipient. If you > receive a copy in error, please inform the sender and then delete this > message. > > Virgin Money plc - Registered in England and Wales (Company no. 6952311). > Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. > Virgin Money plc is authorised by the Prudential Regulation Authority and > regulated by the Financial Conduct Authority and the Prudential Regulation > Authority. > > The following companies also trade as Virgin Money. They are both > authorised and regulated by the Financial Conduct Authority, are registered > in England and Wales and have their registered office at Discovery House, > Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service > Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited > (Company no. 3000482). > > For further details of Virgin Money group companies please visit our > website at virginmoney.com > > > _______________________________________________ > Freeipa-users mailing > listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users