[Freeipa-users] Can freeIPA work without Kerberos and DNS

Gokulnath gokulnathb at gmail.com
Mon Mar 30 12:58:53 UTC 2015 

Thanks for the update.

The reason for weigh in the Kerberos option is to have that as an option to disable if needed, security is more important. I had to say this because there was a question on "why I would disable it".

I agree that the otp should definitely provide some additional layer of security. 

Let me test and reply back.

Thanks again.

Gokul

Sent from iPhone

> On Mar 30, 2015, at 7:48 AM, Dmitri Pal <dpal at redhat.com> wrote:
> 
>> On 03/29/2015 10:27 PM, Gokulnath wrote:
>> Thanks for getting back.
>> 
>> 1. As security Kerberos can ticket and in memory can be taken and that session key
>> Can be used to gain access every where. Primarily this because the plan is to use the solution in cloud.
> 
> You can use Kerberos in the cloud. It is not worse of better than certs.
> If you can read memory of a machine you can (potentially) read its keys.
> But this is the general risk that you take going into the cloud regardless whether you use PKI or Kerberos.
> 
> In general you do not want to store long term keys in the images but rather add them on the fly when the system is instantiated.
> The ipa-client-install with OTP registration code provides this capability.
> 
> It seems that you are trying to overcomplicate things with no obvious reason.
> If you need help with picking a better approach lest us know what exactly you are trying to accomplish.
> 
>> 
>> 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key rotation and pki ?
>> 
>> 3. As during the install, DNS and Kerberos are getting installed and configured.
>> 
>> I would really appreciate if you can get back.
>> 
>> Thank you
>> Gokul
>> Sent from iPhone
>> 
>>>> On Mar 29, 2015, at 8:44 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>> 
>>>> On 03/29/2015 11:50 AM, Gokul wrote:
>>>> Hi,
>>>> 
>>>> I am tried to run some of my user cases with FreeIPA.
>>>> 
>>>> Have FreeIPA to do only SSH key management in LDAP and PKI management.
>>>> 
>>>> The understand that every request is kerberized and it has the DNS is must configuration.
>>>> 
>>>> Can I have FreeIPA to run only SSH Key management with LDAP and a PKI server with dogtag?
>>>> 
>>>> Thank you
>>>> Gokul
>>> You can't turn off Kerberos. You would need Kerberos for administration.
>>> But other clients can take advantage of LDAP and SSH only.
>>> However you are significantly limiting your functionality and capabilities.
>>> Kerberos is really the key of the solution.
>>> 
>>> What is the reason you try to avoid using it?
>>> 
>>> 
>>> -- 
>>> Thank you,
>>> Dmitri Pal
>>> 
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>> -- 
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>

More information about the Freeipa-users mailing list