[Freeipa-users] Using DHCPD with IPA
~Stack~
i.am.stack at gmail.com
Fri Jan 27 03:59:19 UTC 2012
On 01/26/2012 08:54 AM, Adam Young wrote:
> On 01/24/2012 09:11 PM, ~Stack~ wrote:
>> Crud. This looks like it could be difficult. I don't preserve anything
>> on those machines. At least not right now...
> It is a boot strap issue. For a shared nothing boot like you are
> doing, there needs to be a way for the new machine to securely get its
> identity.
>
> Ideally, PXE boot would give you the option to somehow store a private
> key in the BIOS and present a certificate during boot. If it did that,
> you could then set up a secure way to tell the IPA server "I am still
> who I claimed I was before" and fetch all of your secure data during the
> start up process.
>
> Assuming your data center is locked down and a rouge machine cannot PXE
> boot on your local interface, what you would need is probably a way to
> push down a one time password to the booting machine so that it could
> then use that to refetch its keytab from the IPA server. Not something
> currently supported (only happens during register).
>
> You can unregister and then register the machines when you reboot them.
> I am pretty sure that you don't really want to do that, though.
Thanks for the reply.
I actually had a spark pop into my head last night as I was trying to
doze off to sleep. Tried it today and it works rather well. I realize
there are probably a few security risks here, but it is the best I have
come up with so far and I have done my best to mitigate the obvious ones.
I have declared in my dhcpd that only certain MAC addresses can PXEboot.
This is working well and non-defined MAC's are not able to PXEboot.
In my kickstart file, that is pushed out over the PXEboot, I have an SSH
key inside. That key only authenticates against an account that is
configured with scponly[1] and the account is locked down for read only.
During the kickstart post script section, I have the box pull down the
settings it needs from a `hostname`.tgz file over scp.
[1] https://github.com/scponly/scponly/wiki
I haven't figured out all the settings that IPA needs, but pulling the
host identifiers, the ntp config, ect works really well for the time being.
Is there a handy list of conf files that I need to bundle up? I looked
for such a list and saw mention of various files in various places but
not a complete list. Have I just missed that in my search-fu?
Thanks again!
~Stack~
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120126/bda64c1f/attachment.sig>
More information about the Freeipa-users
mailing list