Hi, we use kerberos with keytabs on our clients. We do *not* trust root on the clients! One client should never have access to any other client's keytab. This is my proposed solution to get the keytabs to the clients, any comments welcome!
1. Use file to get /root/.ssh/authorized_keys 2. Use exported resource to let the client "notify" the server that it wants a keytab 3. On the serverside 3.1 Generate keytab (if not exist) 3.2 Push keytab using ssh with key Problems: 1. As far as I understand we can't use file to get the keytab as local root on clients then could get other client's keytabs. (solved in solution) 2. Reinstallation. How do I tell the server to push the key once more to the same client? (not solved in solution) A suggestion here is to use a custom fact => has og has not keytab. Any other suggetions? Regards Bjørge -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
