Re: [Freeipa-users] Automated Kickstart Enrollment

2013-10-03 Thread Dmitri Pal 
On 09/28/2013 12:24 PM, Charlie Derwent wrote:
>
> On Tue, Sep 3, 2013 at 4:50 PM, Dmitri Pal  > wrote:
>
> On 09/03/2013 04:21 AM, Innes, Duncan wrote:
>> Hi folks,
>>  
>> I've got a question about kickstart enrollment with a one-time
>> password.  Namely, is there any way that it can be done *without*
>> the one-time password.  We're comfortable with the pre-creation
>> of the host in IPA, but just wonder if there's a way to enrol
>> without the one-time password. 
>>  
>> The estate is Red Hat (mostly 6) and we deploy systems via
>> kickstart from the Satellite.  Can the Satellite push out a
>> certificate from the IPA system that would allow client to enrol
>> without the OTP?  Our enrollment script runs as part of the
>> kickstart postinstall with the OTP effectively sitting in plain
>> text in the script.  Removing the OTP would remove the plain text
>> authentication from this script, but I may be opening other
>> security holes as a result.
>>
> Hello,
>
>
> There have been 3 ways about how the host can be enrolled:
> a) High level admin using his credential (no need to have a
> pre-created host)
> b) Lower level admin using his credential (requires a pre-created
> host)
> c) OTP based (requires a pre-created host)
>
> All provisioning methods that use static kickstart files would
> have to have something injected into the kickstart. OTP is the
> safest and if leaked can be used to only provision this specific
> system. The fact that OTP was stolen can be detected easily by
> having a failed enrollment of the valid system combined with IPA
> logs indicating that there was a successful enrollment of the new
> host with the same name. The fact that intruder was able to join a
> machine into IPA domain does not escalate his privileges against
> other systems and since it can be easily caught it is a risk but
> not a huge one.
>
> The right approach of cause is not to have the OTP stored in
> kickstart but rather parameterized in some way. In Satellite 6
> (that we are looking at) this will be done via Foreman and its
> smart proxies. The design is not polished yet but we hope that we
> would be able to limit the exposure of the OTPs there.
>
> Also a new provisioning method has been added in FreeIPA 3.2
> mostly for re-provisioning - ability to provision if you already
> have a keytab.
> This method will be sort of equivalent to what you are asking with
> a cert. But instead of the cert you would need to get keytab first
> by creating a host and then using ipa-getkeytab command and
> passing keytab to the kickstart. That can be done now and would
> address the issue you are concerned about.
>
> Hi Dimitri (or anyone who knows),
>  
> Is there anyway except for waiting for RHEL 6.5 to get FreeIPA 3.2+
> running in production? Really keen to get the re-provisioning
> functionality up and running but don't want to run it on Fedora. Also
> can you generate a keytab with ipa-getkeytab before you enrol a
> host, possibly when you add a host to the ipa-server for the first
> time? Or is the pattern provision with OTP first then backup keytab
> and provision with keytab after?

Sorry I am a bit behind with the e-mails.

1) 3.2 is in RHEL7 not 6.5
2) If you need it earlier you/we would have to backport but you need to
go via "official" channels for this to happen in RHEL
3) AFAIR one should be able to add a host and then user ipa-getkeytab
for it, deliver keytab to the host and use it for enrollment. This
should work. If not IMO it is a bug.  But I am not sure why you need it.
The flow is the same as with OTP but more complex permissions wise. I
mean getting OTP is simple, you can get it as a part of the host add
while getting keytab requires separate call and privileges to actually
get the keytab for the host.



>  
> Thanks,
> Charlie 
>
>
>
> HTH
>
> Thanks,
> Dmitri
>> Cheers
>>  
>> Duncan Innes
>>  
>>
>> This message has been checked for viruses and spam by the Virgin
>> Money email scanning system powered by Messagelabs.
>>
>>
>>
>> This e-mail is intended to be confidential to the recipient. If
>> you receive a copy in error, please inform the sender and then
>> delete this message.
>>
>> Virgin Money plc - Registered in England and Wales (Company no.
>> 6952311). Registered office - Jubilee House, Gosforth, Newcastle
>> upon Tyne NE3 4PL. Virgin Money plc is authorised by the
>> Prudential Regulation Authority and regulated by the Financial
>> Conduct Authority and the Prudential Regulation Authority.
>>
>> The following companies also trade as Virgin Money. They are both
>> authorised and regulated by the Financial Conduct Authority, are
>> registered in England and Wales and have their registered office
>>

Re: [Freeipa-users] Automated Kickstart Enrollment

2013-09-28 Thread Charlie Derwent 
On Tue, Sep 3, 2013 at 4:50 PM, Dmitri Pal  wrote:

>  On 09/03/2013 04:21 AM, Innes, Duncan wrote:
>
> Hi folks,
>
> I've got a question about kickstart enrollment with a one-time password.
> Namely, is there any way that it can be done *without* the one-time
> password.  We're comfortable with the pre-creation of the host in IPA,
> but just wonder if there's a way to enrol without the one-time password.
>
> The estate is Red Hat (mostly 6) and we deploy systems via kickstart from
> the Satellite.  Can the Satellite push out a certificate from the IPA
> system that would allow client to enrol without the OTP?  Our enrollment
> script runs as part of the kickstart postinstall with the OTP effectively
> sitting in plain text in the script.  Removing the OTP would remove the
> plain text authentication from this script, but I may be opening other
> security holes as a result.
>
>  Hello,
>
>
> There have been 3 ways about how the host can be enrolled:
> a) High level admin using his credential (no need to have a pre-created
> host)
> b) Lower level admin using his credential (requires a pre-created host)
> c) OTP based (requires a pre-created host)
>
> All provisioning methods that use static kickstart files would have to
> have something injected into the kickstart. OTP is the safest and if leaked
> can be used to only provision this specific system. The fact that OTP was
> stolen can be detected easily by having a failed enrollment of the valid
> system combined with IPA logs indicating that there was a successful
> enrollment of the new host with the same name. The fact that intruder was
> able to join a machine into IPA domain does not escalate his privileges
> against other systems and since it can be easily caught it is a risk but
> not a huge one.
>
> The right approach of cause is not to have the OTP stored in kickstart but
> rather parameterized in some way. In Satellite 6 (that we are looking at)
> this will be done via Foreman and its smart proxies. The design is not
> polished yet but we hope that we would be able to limit the exposure of the
> OTPs there.
>
> Also a new provisioning method has been added in FreeIPA 3.2 mostly for
> re-provisioning - ability to provision if you already have a keytab.
> This method will be sort of equivalent to what you are asking with a cert.
> But instead of the cert you would need to get keytab first by creating a
> host and then using ipa-getkeytab command and passing keytab to the
> kickstart. That can be done now and would address the issue you are
> concerned about.
>
Hi Dimitri (or anyone who knows),

Is there anyway except for waiting for RHEL 6.5 to get FreeIPA 3.2+ running
in production? Really keen to get the re-provisioning functionality up and
running but don't want to run it on Fedora. Also can you generate a keytab
with ipa-getkeytab before you enrol a host, possibly when you add a host to
the ipa-server for the first time? Or is the pattern provision with OTP
first then backup keytab and provision with keytab after?

Thanks,
Charlie

>
>
> HTH
>
> Thanks,
> Dmitri
>
> Cheers
>
> Duncan Innes
>
>
> This message has been checked for viruses and spam by the Virgin Money
> email scanning system powered by Messagelabs.
>
>
>
> This e-mail is intended to be confidential to the recipient. If you
> receive a copy in error, please inform the sender and then delete this
> message.
>
> Virgin Money plc - Registered in England and Wales (Company no. 6952311).
> Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL.
> Virgin Money plc is authorised by the Prudential Regulation Authority and
> regulated by the Financial Conduct Authority and the Prudential Regulation
> Authority.
>
> The following companies also trade as Virgin Money. They are both
> authorised and regulated by the Financial Conduct Authority, are registered
> in England and Wales and have their registered office at Discovery House,
> Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service
> Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited
> (Company no. 3000482).
>
> For further details of Virgin Money group companies please visit our
> website at virginmoney.com
>
>
> ___
> Freeipa-users mailing 
> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> ---
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Automated Kickstart Enrollment

2013-09-03 Thread Dmitri Pal 
On 09/03/2013 04:21 AM, Innes, Duncan wrote:
> Hi folks,
>  
> I've got a question about kickstart enrollment with a one-time
> password.  Namely, is there any way that it can be done *without* the
> one-time password.  We're comfortable with the pre-creation of the
> host in IPA, but just wonder if there's a way to enrol without the
> one-time password. 
>  
> The estate is Red Hat (mostly 6) and we deploy systems via kickstart
> from the Satellite.  Can the Satellite push out a certificate from the
> IPA system that would allow client to enrol without the OTP?  Our
> enrollment script runs as part of the kickstart postinstall with the
> OTP effectively sitting in plain text in the script.  Removing the OTP
> would remove the plain text authentication from this script, but I may
> be opening other security holes as a result.
>
Hello,


There have been 3 ways about how the host can be enrolled:
a) High level admin using his credential (no need to have a pre-created
host)
b) Lower level admin using his credential (requires a pre-created host)
c) OTP based (requires a pre-created host)

All provisioning methods that use static kickstart files would have to
have something injected into the kickstart. OTP is the safest and if
leaked can be used to only provision this specific system. The fact that
OTP was stolen can be detected easily by having a failed enrollment of
the valid system combined with IPA logs indicating that there was a
successful enrollment of the new host with the same name. The fact that
intruder was able to join a machine into IPA domain does not escalate
his privileges against other systems and since it can be easily caught
it is a risk but not a huge one.

The right approach of cause is not to have the OTP stored in kickstart
but rather parameterized in some way. In Satellite 6 (that we are
looking at) this will be done via Foreman and its smart proxies. The
design is not polished yet but we hope that we would be able to limit
the exposure of the OTPs there.

Also a new provisioning method has been added in FreeIPA 3.2 mostly for
re-provisioning - ability to provision if you already have a keytab.
This method will be sort of equivalent to what you are asking with a
cert. But instead of the cert you would need to get keytab first by
creating a host and then using ipa-getkeytab command and passing keytab
to the kickstart. That can be done now and would address the issue you
are concerned about.


HTH

Thanks,
Dmitri
> Cheers
>  
> Duncan Innes
>  
>
> This message has been checked for viruses and spam by the Virgin Money
> email scanning system powered by Messagelabs.
>
>
>
> This e-mail is intended to be confidential to the recipient. If you
> receive a copy in error, please inform the sender and then delete this
> message.
>
> Virgin Money plc - Registered in England and Wales (Company no.
> 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon
> Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential
> Regulation Authority and regulated by the Financial Conduct Authority
> and the Prudential Regulation Authority.
>
> The following companies also trade as Virgin Money. They are both
> authorised and regulated by the Financial Conduct Authority, are
> registered in England and Wales and have their registered office at
> Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money Personal
> Financial Service Limited (Company no. 3072766) and Virgin Money Unit
> Trust Managers Limited (Company no. 3000482).
>
> For further details of Virgin Money group companies please visit our
> website at virginmoney.com
>
>
> ___
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Automated Kickstart Enrollment

2013-09-03 Thread Innes, Duncan 
Sounds like future work and integrating with Satellite 6 when it comes.
We delete the post-install scripts before reboot at the moment, so we're
not in a bad way.
 
Thanks Dmitri




From: freeipa-users-boun...@redhat.com
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dmitri Pal
Sent: 03 September 2013 16:50
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Automated Kickstart Enrollment


On 09/03/2013 04:21 AM, Innes, Duncan wrote: 

Hi folks,
 
I've got a question about kickstart enrollment with a
one-time password.  Namely, is there any way that it can be done
*without* the one-time password.  We're comfortable with the
pre-creation of the host in IPA, but just wonder if there's a way to
enrol without the one-time password.  
 
The estate is Red Hat (mostly 6) and we deploy systems
via kickstart from the Satellite.  Can the Satellite push out a
certificate from the IPA system that would allow client to enrol without
the OTP?  Our enrollment script runs as part of the kickstart
postinstall with the OTP effectively sitting in plain text in the
script.  Removing the OTP would remove the plain text authentication
from this script, but I may be opening other security holes as a result.



Hello,


There have been 3 ways about how the host can be enrolled:
a) High level admin using his credential (no need to have a
pre-created host)
b) Lower level admin using his credential (requires a
pre-created host)
c) OTP based (requires a pre-created host)

All provisioning methods that use static kickstart files would
have to have something injected into the kickstart. OTP is the safest
and if leaked can be used to only provision this specific system. The
fact that OTP was stolen can be detected easily by having a failed
enrollment of the valid system combined with IPA logs indicating that
there was a successful enrollment of the new host with the same name.
The fact that intruder was able to join a machine into IPA domain does
not escalate his privileges against other systems and since it can be
easily caught it is a risk but not a huge one.

The right approach of cause is not to have the OTP stored in
kickstart but rather parameterized in some way. In Satellite 6 (that we
are looking at) this will be done via Foreman and its smart proxies. The
design is not polished yet but we hope that we would be able to limit
the exposure of the OTPs there. 

Also a new provisioning method has been added in FreeIPA 3.2
mostly for re-provisioning - ability to provision if you already have a
keytab.
This method will be sort of equivalent to what you are asking
with a cert. But instead of the cert you would need to get keytab first
by creating a host and then using ipa-getkeytab command and passing
keytab to the kickstart. That can be done now and would address the
issue you are concerned about.


HTH

Thanks,
Dmitri


Cheers
 
Duncan Innes
 

 

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users



-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



This message has been checked for viruses and spam by the Virgin
Money email scanning system powered by Messagelabs.



This message has been checked for viruses and spam by the Virgin Money email 
scanning system powered by Messagelabs.



This e-mail is intended to be confidential to the recipient. If you receive a 
copy in error, please inform the sender and then delete this message.

Virgin Money plc - Registered in England and Wales (Company no. 6952311). 
Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. 
Virgin Money plc is authorised by the Prudential Regulation Authority and 
regulated by the Financial Conduct Authority and the Prudential Regulation 
Authority.

The following companies also trade as Virgin Money. They are both authorised 
and regulated by the Financial Conduct Authority, are registered in England and 
Wales and have their registered office at Discovery House, Whiting Road, 
Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 
3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).

For furth

[Freeipa-users] Automated Kickstart Enrollment

2013-09-03 Thread Innes, Duncan 
Hi folks,
 
I've got a question about kickstart enrollment with a one-time password.
Namely, is there any way that it can be done *without* the one-time
password.  We're comfortable with the pre-creation of the host in IPA,
but just wonder if there's a way to enrol without the one-time password.

 
The estate is Red Hat (mostly 6) and we deploy systems via kickstart
from the Satellite.  Can the Satellite push out a certificate from the
IPA system that would allow client to enrol without the OTP?  Our
enrollment script runs as part of the kickstart postinstall with the OTP
effectively sitting in plain text in the script.  Removing the OTP would
remove the plain text authentication from this script, but I may be
opening other security holes as a result.
 
Cheers
 
Duncan Innes
 

This message has been checked for viruses and spam by the Virgin Money email 
scanning system powered by Messagelabs.



This e-mail is intended to be confidential to the recipient. If you receive a 
copy in error, please inform the sender and then delete this message.

Virgin Money plc - Registered in England and Wales (Company no. 6952311). 
Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. 
Virgin Money plc is authorised by the Prudential Regulation Authority and 
regulated by the Financial Conduct Authority and the Prudential Regulation 
Authority.

The following companies also trade as Virgin Money. They are both authorised 
and regulated by the Financial Conduct Authority, are registered in England and 
Wales and have their registered office at Discovery House, Whiting Road, 
Norwich NR4 6EJ: Virgin Money Personal Financial Service Limited (Company no. 
3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482).

For further details of Virgin Money group companies please visit our website at 
virginmoney.com___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users