On 09/28/2013 12:24 PM, Charlie Derwent wrote: > > On Tue, Sep 3, 2013 at 4:50 PM, Dmitri Pal <d...@redhat.com > <mailto:d...@redhat.com>> wrote: > > On 09/03/2013 04:21 AM, Innes, Duncan wrote: >> Hi folks, >> >> I've got a question about kickstart enrollment with a one-time >> password. Namely, is there any way that it can be done *without* >> the one-time password. We're comfortable with the pre-creation >> of the host in IPA, but just wonder if there's a way to enrol >> without the one-time password. >> >> The estate is Red Hat (mostly 6) and we deploy systems via >> kickstart from the Satellite. Can the Satellite push out a >> certificate from the IPA system that would allow client to enrol >> without the OTP? Our enrollment script runs as part of the >> kickstart postinstall with the OTP effectively sitting in plain >> text in the script. Removing the OTP would remove the plain text >> authentication from this script, but I may be opening other >> security holes as a result. >> > Hello, > > > There have been 3 ways about how the host can be enrolled: > a) High level admin using his credential (no need to have a > pre-created host) > b) Lower level admin using his credential (requires a pre-created > host) > c) OTP based (requires a pre-created host) > > All provisioning methods that use static kickstart files would > have to have something injected into the kickstart. OTP is the > safest and if leaked can be used to only provision this specific > system. The fact that OTP was stolen can be detected easily by > having a failed enrollment of the valid system combined with IPA > logs indicating that there was a successful enrollment of the new > host with the same name. The fact that intruder was able to join a > machine into IPA domain does not escalate his privileges against > other systems and since it can be easily caught it is a risk but > not a huge one. > > The right approach of cause is not to have the OTP stored in > kickstart but rather parameterized in some way. In Satellite 6 > (that we are looking at) this will be done via Foreman and its > smart proxies. The design is not polished yet but we hope that we > would be able to limit the exposure of the OTPs there. > > Also a new provisioning method has been added in FreeIPA 3.2 > mostly for re-provisioning - ability to provision if you already > have a keytab. > This method will be sort of equivalent to what you are asking with > a cert. But instead of the cert you would need to get keytab first > by creating a host and then using ipa-getkeytab command and > passing keytab to the kickstart. That can be done now and would > address the issue you are concerned about. > > Hi Dimitri (or anyone who knows), > > Is there anyway except for waiting for RHEL 6.5 to get FreeIPA 3.2+ > running in production? Really keen to get the re-provisioning > functionality up and running but don't want to run it on Fedora. Also > can you generate a keytab with ipa-getkeytab before you enrol a > host, possibly when you add a host to the ipa-server for the first > time? Or is the pattern provision with OTP first then backup keytab > and provision with keytab after?
Sorry I am a bit behind with the e-mails. 1) 3.2 is in RHEL7 not 6.5 2) If you need it earlier you/we would have to backport but you need to go via "official" channels for this to happen in RHEL 3) AFAIR one should be able to add a host and then user ipa-getkeytab for it, deliver keytab to the host and use it for enrollment. This should work. If not IMO it is a bug. But I am not sure why you need it. The flow is the same as with OTP but more complex permissions wise. I mean getting OTP is simple, you can get it as a part of the host add while getting keytab requires separate call and privileges to actually get the keytab for the host. > > Thanks, > Charlie > > > > HTH > > Thanks, > Dmitri >> Cheers >> >> Duncan Innes >> >> >> This message has been checked for viruses and spam by the Virgin >> Money email scanning system powered by Messagelabs. >> >> >> >> This e-mail is intended to be confidential to the recipient. If >> you receive a copy in error, please inform the sender and then >> delete this message. >> >> Virgin Money plc - Registered in England and Wales (Company no. >> 6952311). Registered office - Jubilee House, Gosforth, Newcastle >> upon Tyne NE3 4PL. Virgin Money plc is authorised by the >> Prudential Regulation Authority and regulated by the Financial >> Conduct Authority and the Prudential Regulation Authority. >> >> The following companies also trade as Virgin Money. They are both >> authorised and regulated by the Financial Conduct Authority, are >> registered in England and Wales and have their registered office >> at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money >> Personal Financial Service Limited (Company no. 3072766) and >> Virgin Money Unit Trust Managers Limited (Company no. 3000482). >> >> For further details of Virgin Money group companies please visit >> our website at virginmoney.com <http://virginmoney.com> >> >> >> _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> >> https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/> > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users