[debian-lan-devel] on sending a kerberos keytab to the client machine

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Tue Sep 11 12:30:54 UTC 2012


Hi Andi,

i just stumbled over this post...

On Mo 03 Sep 2012 22:40:08 CEST "Andreas B. Mundt" wrote:

> Hi,
>
> from time to time it's necessary to distribute data securely to
> clients from the FAI server.  This has been discussed before on this
> list, c.f. for example [1] and replies.
>
> I would like to present and 'ask for comments' on a way I figured out
> last week. Perhaps it is well known, but I did not hear/read something
> like that before. I have implemented it in the Debian-LAN setup [2]
> now, and so far it works fine.
> The advantage of the approach:  All action is kind of 'one-way', from
> the central server to the clients. The clients need no additional
> permissions on the server.
>
> The idea is the following:  First, allow root from the faiserver to
> login on all clients via public key authentication.  The
> implementation is straight forward:  Create a ssh key pair and copy
> the public key in the /root/.ssh/allowed_keys file of the FAI config
> space and fcopy it to all clients.  Further more, copy it to the
> nfsroot, so you can access the machine during installation already.

Having a master server that can SSH with keyauth to other machines as  
root is common practice in system administation. If people will be  
fond of it as a requirement, I guess not... Hmmm...

So, the question maybe if the copying step can be performed as a  
non-root account.

  1. copy some important file from root at faiserver to dumbsysaccount at client.
  2. allow dumbsysaccount to execute one single command as root (with sudo)
  3. this one single command then does the job of installing the important
     file (like /etc/keytab)

> Now, the question is how to trigger copying the credentials, in my
> case a kerberos keytab.  To do that, I use a script which is executed
> on every lease of a machine 'known' to the dhcpd, i.e. its MAC address
> is present in dhcpd.conf.  The script first checks if the
> corresponding keytab has been scp'd before - if this is the case it,
> exits immediately.  If the keytab is unused, it tries to scp the
> keytab periodically within a given time to the client machine.
>
> With this setup, the work flow installing machines is the following:
>
>   * Add the MAC addresses of all machines to be installed to
>     dhcpd.conf.  You have to make sure that nobody in the network
>     can fake a MAC address if you do that by some automatic means.
>   * Install the machines.  Make sure indeed all the machines that are
>     in dhcpd.conf have been installed successfully and got their
>     keytab.

The dhcpd triggering is very neat, indeed. You solved the krb5-hostkey  
question of Debian Edu with this as well!!! Awesome!

> That's it.  The nice thing about this method is that there is no need
> to kind of 'activate' a machine more than once and copy kerberos
> credentials 'by hand' after installation.  They are ready to use
> mounting their home directories with sec=krb5*.
>
> The root access to clients may also be useful for other features, for
> example to run a softupdate scheduled from the central server.

Greets,
Mike




-- 

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.alioth.debian.org/pipermail/debian-lan-devel/attachments/20120911/8aa1f081/attachment.pgp>


More information about the debian-lan-devel mailing list