[Freeipa-users] Give laptops bidirectional anywhere access to freeipa and /home/

[Dmitri Pal]

Rob Townley wrote:
> The main difference between tinc vpns and traditional vpns is that
> tinc is bidirectional and does not require the user to enter a
> username password.  So if the computer is turned on, the remote
> machine is reachable by the IT department.  If it is a windows
> machine, you may want to verify antivirus signatures are up-to-date.
> FusionInventory could be used to push software.
>
> Yes, it is a machine level as opposed to user level vpn.  tinc would
> have to run all machines to make it the easiest to use.  With freeipa,
> that could be easy.
>
> The keys currently are RSA public / private keypairs.
>
> Does not have existing code to work with ldap / kerberos as far as i know.
>   

Would be great if it could leverage kerberos for this.
Then it would have been really easy with IPA and no need for additional
key management.
Host keytabs are already managed by FreeIPA v2.
But certmonger would be able to help with certs too.
Have you looked at cernmonger as a provisioning tool for that sort of
deployment?
Again freeIPA v2 is capable of handling certs for this case too.



-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/