[debian-lan-devel] Reinstall workstations with the same MAC Address again and again will not work.

Andreas B. Mundt andi.mundt at web.de
Wed Apr 24 13:50:37 UTC 2013 

Hi Andreas,

On Mon, Apr 22, 2013 at 09:09:09PM +0200, Andreas Schockenhoff wrote:
> Am 20.04.2013 17:46, schrieb Andreas B. Mundt:
> >On Sat, Apr 20, 2013 at 05:16:03PM +0200, Andreas Schockenhoff wrote:
> >
> >>I will reinstall workstations with the same MAC Address again and
> >>again. Also with the newest improvements from debian lan git it will
> >>also not work for me. I have overwrite /usr/local/sbin/debian-lan on
> >>mainserver with the new version from git.
> >Can you find out why it does not work?  It should just copy the
> >appropriate keytab to the machine, prompting if the keytab has been
> >used already (and offering to re-use it).
> I have find my original problem moving
> /root/installation/workstationXX.keytab.Datum back to
> /root/installation/workstationXX.keytab solve the problem.
> Reinstallation works as I wish.
>
> Example: mv workstatin07.* workstation07.keytab
>
> Why is this hook in the dhcp server?
>

The idea is to enable the machine (= copy the keytab) automatically
during installation.  It is marked as used with a timestamp after
that, to make it impossible to fetch the key again with a malicious
machine in the network.  If a key is marked, but the sysadmin never
installed that machine, he knows that someone might have fetched the
key before. In a security-aware network he should not use the tainted
key but create a new one.  If he knows it is just a re-installation
and the key can't be in someone evil's hands, he has to copy the
keytab manually with the "debian-lan key2machine HOSTNAME" command.

> The problem of debian-lan is different. SSH Keys change .... But the
> strange problem that copy the keys
> with debian lan does not work, but a normal ssh copy works, must
> still debugged.
> Every debian-lan copy add a date string to the key on the server. Is
> this ok? May be you have a look on this
> tool make it still sense?

The idea was to allow the sysadmin some kind of control about how
often he already used a key.

If you run a test system, you can forget these features.  Just remove
the lines that add the date-stamp to the keytab file:

Remove/comment The line

    mv -v $DATADIR/${MACHINE}.keytab $DATADIR/${MACHINE}.keytab_$DATE

in files/usr/local/sbin/dhcpd-keytab/SERVER_A and the same line in
files/usr/local/sbin/debian-lan/SERVER_A .

This should stop the renaming i.e. marking of keytabs and the
dhcp-hook should be able to activate a machine during installation (it
tries to activate the machine every minute for 8 minutes) no matter
how often the machine has been installed an the key copied
"somewhere".

Best regards,

     Andi

More information about the debian-lan-devel mailing list