Am 22.09.2014 schrieb Toomas Tamm: > On Mon, 2014-09-22 at 09:35 +0200, Jan Bredereke wrote: > > > > Thanks a lot. So the actual command is secured. In order to secure > > > > the NFS mount one can use NFS 4 which supports Kerberos for > > > > encryption and authentication. > > > Theoretically yes. In practice, I'm not sure if 'fai -N softupdate' does > > > support the 'sec=krb5p' option or if it allows fallback on this option > > > if the NFS server requests it. A quick glance through the FAI man pages > > > didn't reveal anything helpful in this regard. > > > > I just didn't find anything, either. So I don't know if I really > > could use Kerberos underlying NFS in this way. > > One does not need to NFS-mount the configuration space. You can use > other methods of delivering it to the host. > > In our installation, the configuration space is kept on a SVN server and > is checked out in read-only mode at a svn+http:// URL. Our network is > behind a firewall, so we use plain http, but https is also available, > after the necessary initial password(s) have been transferred (via any > of the means discussed earlier). > > Afterwards, during softupdates, FAI updates the configuration space from > the SVN server automatically. > > Look at FAI documentation and the scripts /usr/lib/fai/get-config-dir-* > for all the options available to get the config space, as well as the > parameters (such as passwords and keys) needed for a secure transfer.
Your are right. Working from a local copy of the config space is another option, and it answers the security demands nicely. I can get the local copy in many ways, even plain rsync over ssh. As you pointed out, the necessary keys/credentials must have been deployed before. Regards, Jan -- Prof. Dr. Jan Bredereke Hochschule Bremen, Fak. 4, Flughafenallee 10, D-28199 Bremen.