[Freeipa-users] Automated Kickstart Enrollment

Dmitri Pal dpal at redhat.com
Thu Oct 3 23:09:35 UTC 2013 

On 09/28/2013 12:24 PM, Charlie Derwent wrote:
>
> On Tue, Sep 3, 2013 at 4:50 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
>     On 09/03/2013 04:21 AM, Innes, Duncan wrote:
>>     Hi folks,
>>      
>>     I've got a question about kickstart enrollment with a one-time
>>     password.  Namely, is there any way that it can be done *without*
>>     the one-time password.  We're comfortable with the pre-creation
>>     of the host in IPA, but just wonder if there's a way to enrol
>>     without the one-time password. 
>>      
>>     The estate is Red Hat (mostly 6) and we deploy systems via
>>     kickstart from the Satellite.  Can the Satellite push out a
>>     certificate from the IPA system that would allow client to enrol
>>     without the OTP?  Our enrollment script runs as part of the
>>     kickstart postinstall with the OTP effectively sitting in plain
>>     text in the script.  Removing the OTP would remove the plain text
>>     authentication from this script, but I may be opening other
>>     security holes as a result.
>>
>     Hello,
>
>
>     There have been 3 ways about how the host can be enrolled:
>     a) High level admin using his credential (no need to have a
>     pre-created host)
>     b) Lower level admin using his credential (requires a pre-created
>     host)
>     c) OTP based (requires a pre-created host)
>
>     All provisioning methods that use static kickstart files would
>     have to have something injected into the kickstart. OTP is the
>     safest and if leaked can be used to only provision this specific
>     system. The fact that OTP was stolen can be detected easily by
>     having a failed enrollment of the valid system combined with IPA
>     logs indicating that there was a successful enrollment of the new
>     host with the same name. The fact that intruder was able to join a
>     machine into IPA domain does not escalate his privileges against
>     other systems and since it can be easily caught it is a risk but
>     not a huge one.
>
>     The right approach of cause is not to have the OTP stored in
>     kickstart but rather parameterized in some way. In Satellite 6
>     (that we are looking at) this will be done via Foreman and its
>     smart proxies. The design is not polished yet but we hope that we
>     would be able to limit the exposure of the OTPs there.
>
>     Also a new provisioning method has been added in FreeIPA 3.2
>     mostly for re-provisioning - ability to provision if you already
>     have a keytab.
>     This method will be sort of equivalent to what you are asking with
>     a cert. But instead of the cert you would need to get keytab first
>     by creating a host and then using ipa-getkeytab command and
>     passing keytab to the kickstart. That can be done now and would
>     address the issue you are concerned about.
>
> Hi Dimitri (or anyone who knows),
>  
> Is there anyway except for waiting for RHEL 6.5 to get FreeIPA 3.2+
> running in production? Really keen to get the re-provisioning
> functionality up and running but don't want to run it on Fedora. Also
> can you generate a keytab with ipa-getkeytab before you enrol a
> host, possibly when you add a host to the ipa-server for the first
> time? Or is the pattern provision with OTP first then backup keytab
> and provision with keytab after?

Sorry I am a bit behind with the e-mails.

1) 3.2 is in RHEL7 not 6.5
2) If you need it earlier you/we would have to backport but you need to
go via "official" channels for this to happen in RHEL
3) AFAIR one should be able to add a host and then user ipa-getkeytab
for it, deliver keytab to the host and use it for enrollment. This
should work. If not IMO it is a bug.  But I am not sure why you need it.
The flow is the same as with OTP but more complex permissions wise. I
mean getting OTP is simple, you can get it as a part of the host add
while getting keytab requires separate call and privileges to actually
get the keytab for the host.



>  
> Thanks,
> Charlie 
>
>
>
>     HTH
>
>     Thanks,
>     Dmitri
>>     Cheers
>>      
>>     Duncan Innes
>>      
>>
>>     This message has been checked for viruses and spam by the Virgin
>>     Money email scanning system powered by Messagelabs.
>>
>>
>>
>>     This e-mail is intended to be confidential to the recipient. If
>>     you receive a copy in error, please inform the sender and then
>>     delete this message.
>>
>>     Virgin Money plc - Registered in England and Wales (Company no.
>>     6952311). Registered office - Jubilee House, Gosforth, Newcastle
>>     upon Tyne NE3 4PL. Virgin Money plc is authorised by the
>>     Prudential Regulation Authority and regulated by the Financial
>>     Conduct Authority and the Prudential Regulation Authority.
>>
>>     The following companies also trade as Virgin Money. They are both
>>     authorised and regulated by the Financial Conduct Authority, are
>>     registered in England and Wales and have their registered office
>>     at Discovery House, Whiting Road, Norwich NR4 6EJ: Virgin Money
>>     Personal Financial Service Limited (Company no. 3072766) and
>>     Virgin Money Unit Trust Managers Limited (Company no. 3000482).
>>
>>     For further details of Virgin Money group companies please visit
>>     our website at virginmoney.com <http://virginmoney.com>
>>
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager for IdM portfolio
>     Red Hat Inc.
>
>
>     -------------------------------
>     Looking to carve out IT costs?
>     www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131003/a02db024/attachment.htm>

More information about the Freeipa-users mailing list