[Freeipa-users] Automated Kickstart Enrollment

Charlie Derwent shelltoesuperstar at gmail.com
Sat Sep 28 16:24:56 UTC 2013 

On Tue, Sep 3, 2013 at 4:50 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 09/03/2013 04:21 AM, Innes, Duncan wrote:
>
> Hi folks,
>
> I've got a question about kickstart enrollment with a one-time password.
> Namely, is there any way that it can be done *without* the one-time
> password.  We're comfortable with the pre-creation of the host in IPA,
> but just wonder if there's a way to enrol without the one-time password.
>
> The estate is Red Hat (mostly 6) and we deploy systems via kickstart from
> the Satellite.  Can the Satellite push out a certificate from the IPA
> system that would allow client to enrol without the OTP?  Our enrollment
> script runs as part of the kickstart postinstall with the OTP effectively
> sitting in plain text in the script.  Removing the OTP would remove the
> plain text authentication from this script, but I may be opening other
> security holes as a result.
>
>  Hello,
>
>
> There have been 3 ways about how the host can be enrolled:
> a) High level admin using his credential (no need to have a pre-created
> host)
> b) Lower level admin using his credential (requires a pre-created host)
> c) OTP based (requires a pre-created host)
>
> All provisioning methods that use static kickstart files would have to
> have something injected into the kickstart. OTP is the safest and if leaked
> can be used to only provision this specific system. The fact that OTP was
> stolen can be detected easily by having a failed enrollment of the valid
> system combined with IPA logs indicating that there was a successful
> enrollment of the new host with the same name. The fact that intruder was
> able to join a machine into IPA domain does not escalate his privileges
> against other systems and since it can be easily caught it is a risk but
> not a huge one.
>
> The right approach of cause is not to have the OTP stored in kickstart but
> rather parameterized in some way. In Satellite 6 (that we are looking at)
> this will be done via Foreman and its smart proxies. The design is not
> polished yet but we hope that we would be able to limit the exposure of the
> OTPs there.
>
> Also a new provisioning method has been added in FreeIPA 3.2 mostly for
> re-provisioning - ability to provision if you already have a keytab.
> This method will be sort of equivalent to what you are asking with a cert.
> But instead of the cert you would need to get keytab first by creating a
> host and then using ipa-getkeytab command and passing keytab to the
> kickstart. That can be done now and would address the issue you are
> concerned about.
>
Hi Dimitri (or anyone who knows),

Is there anyway except for waiting for RHEL 6.5 to get FreeIPA 3.2+ running
in production? Really keen to get the re-provisioning functionality up and
running but don't want to run it on Fedora. Also can you generate a keytab
with ipa-getkeytab before you enrol a host, possibly when you add a host to
the ipa-server for the first time? Or is the pattern provision with OTP
first then backup keytab and provision with keytab after?

Thanks,
Charlie

>
>
> HTH
>
> Thanks,
> Dmitri
>
> Cheers
>
> Duncan Innes
>
>
> This message has been checked for viruses and spam by the Virgin Money
> email scanning system powered by Messagelabs.
>
>
>
> This e-mail is intended to be confidential to the recipient. If you
> receive a copy in error, please inform the sender and then delete this
> message.
>
> Virgin Money plc - Registered in England and Wales (Company no. 6952311).
> Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL.
> Virgin Money plc is authorised by the Prudential Regulation Authority and
> regulated by the Financial Conduct Authority and the Prudential Regulation
> Authority.
>
> The following companies also trade as Virgin Money. They are both
> authorised and regulated by the Financial Conduct Authority, are registered
> in England and Wales and have their registered office at Discovery House,
> Whiting Road, Norwich NR4 6EJ: Virgin Money Personal Financial Service
> Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited
> (Company no. 3000482).
>
> For further details of Virgin Money group companies please visit our
> website at virginmoney.com
>
>
> _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130928/e0c903d5/attachment.htm>

More information about the Freeipa-users mailing list