On Thu, Sep 15, 2011 at 10:12 AM, Bjorge Solli <bjo...@solli.priv.no> wrote:
> On 15/09/11 10:34, Bjorge Solli wrote: > > Hi, > > > > we use kerberos with keytabs on our clients. We do *not* trust root on > > the clients! One client should never have access to any other client's > > keytab. This is my proposed solution to get the keytabs to the clients, > > any comments welcome! > > > > 1. Use file to get /root/.ssh/authorized_keys > > 2. Use exported resource to let the client "notify" the server that it > > wants a keytab > > 3. On the serverside > > 3.1 Generate keytab (if not exist) > > 3.2 Push keytab using ssh with key > > > > Problems: > > 1. As far as I understand we can't use file to get the keytab as local > > root on clients then could get other client's keytabs. (solved in > solution) > > 2. Reinstallation. How do I tell the server to push the key once more to > > the same client? (not solved in solution) > > > > A suggestion here is to use a custom fact => has og has not keytab. > > > > Any other suggetions? > > A co-worker suggested using the certs with apache to deny access to all > other than the requesting puppet client, and thus eliminate step 3.2 and > problem 2 and negate problem 1:-) > > This will probably be our solution if noone has an even better idea. > You could create custom fileserver mount points with explicit access privileges so only the specific clients can access those files. You could create a function that returned the correct keytab for a given host, so the content was only available in the catalogs, not as files. file { "/path/to/my_keytab": content => retrieve_keytab_for($certname), } or something along those lines. keytab distribution sucks :( -- Nigel Kersten Product Manager, Puppet Labs *Join us for **PuppetConf * <http://www.bit.ly/puppetconfsig> Sept 22/23 Portland, Oregon, USA. * * -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.