[Freeipa-users] Can freeIPA work without Kerberos and DNS
Gokulnath
gokulnathb at gmail.com
Mon Mar 30 12:58:53 UTC 2015
Thanks for the update.
The reason for weigh in the Kerberos option is to have that as an option to disable if needed, security is more important. I had to say this because there was a question on "why I would disable it".
I agree that the otp should definitely provide some additional layer of security.
Let me test and reply back.
Thanks again.
Gokul
Sent from iPhone
> On Mar 30, 2015, at 7:48 AM, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 03/29/2015 10:27 PM, Gokulnath wrote:
>> Thanks for getting back.
>>
>> 1. As security Kerberos can ticket and in memory can be taken and that session key
>> Can be used to gain access every where. Primarily this because the plan is to use the solution in cloud.
>
> You can use Kerberos in the cloud. It is not worse of better than certs.
> If you can read memory of a machine you can (potentially) read its keys.
> But this is the general risk that you take going into the cloud regardless whether you use PKI or Kerberos.
>
> In general you do not want to store long term keys in the images but rather add them on the fly when the system is instantiated.
> The ipa-client-install with OTP registration code provides this capability.
>
> It seems that you are trying to overcomplicate things with no obvious reason.
> If you need help with picking a better approach lest us know what exactly you are trying to accomplish.
>
>>
>> 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key rotation and pki ?
>>
>> 3. As during the install, DNS and Kerberos are getting installed and configured.
>>
>> I would really appreciate if you can get back.
>>
>> Thank you
>> Gokul
>> Sent from iPhone
>>
>>>> On Mar 29, 2015, at 8:44 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>>
>>>> On 03/29/2015 11:50 AM, Gokul wrote:
>>>> Hi,
>>>>
>>>> I am tried to run some of my user cases with FreeIPA.
>>>>
>>>> Have FreeIPA to do only SSH key management in LDAP and PKI management.
>>>>
>>>> The understand that every request is kerberized and it has the DNS is must configuration.
>>>>
>>>> Can I have FreeIPA to run only SSH Key management with LDAP and a PKI server with dogtag?
>>>>
>>>> Thank you
>>>> Gokul
>>> You can't turn off Kerberos. You would need Kerberos for administration.
>>> But other clients can take advantage of LDAP and SSH only.
>>> However you are significantly limiting your functionality and capabilities.
>>> Kerberos is really the key of the solution.
>>>
>>> What is the reason you try to avoid using it?
>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
More information about the Freeipa-users
mailing list