<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/28/2013 12:24 PM, Charlie Derwent wrote:
<blockquote
cite="mid:CA+W6xevvchnXG8RVF219TJCe6ZYCjTZd-KSvNCRK5uSBeMd+Hg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Sep 3, 2013 at 4:50 PM,
Dmitri Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"
class="gmail_quote">
<div text="#000000" bgcolor="#FFFFFF">
<div class="im"> On 09/03/2013 04:21 AM, Innes, Duncan
wrote:
<blockquote type="cite">
<div><span><font face="Arial">Hi folks,</font></span></div>
<div><span></span> </div>
<div><span><font face="Arial">I've got a question
about kickstart enrollment with a one-time
password. Namely, is there any way that it
can be done *without* the one-time password.
</font></span><span><font face="Arial">We're
comfortable with the pre-creation of the host
in IPA, but just wonder if there's a way to
enrol without the one-time password. </font></span></div>
<div> </div>
<div><font face="Arial"><span>The estate is Red Hat
(mostly 6) and we deploy systems via kickstart
from the Satellite. Can the Satellite push
out a certificate from the IPA system that
would allow client to enrol without the OTP?
Our enrollment script runs as part of the
kickstart postinstall with the OTP effectively
sitting in plain text in the script. Removing
the OTP would remove the plain text
authentication from this script, but I may be
opening other security holes as a result.</span></font></div>
<div><font face="Arial"><span></span></font> <br>
</div>
</blockquote>
</div>
Hello,<br>
<br>
<br>
There have been 3 ways about how the host can be
enrolled:<br>
a) High level admin using his credential (no need to
have a pre-created host)<br>
b) Lower level admin using his credential (requires a
pre-created host)<br>
c) OTP based (requires a pre-created host)<br>
<br>
All provisioning methods that use static kickstart files
would have to have something injected into the
kickstart. OTP is the safest and if leaked can be used
to only provision this specific system. The fact that
OTP was stolen can be detected easily by having a failed
enrollment of the valid system combined with IPA logs
indicating that there was a successful enrollment of the
new host with the same name. The fact that intruder was
able to join a machine into IPA domain does not escalate
his privileges against other systems and since it can be
easily caught it is a risk but not a huge one.<br>
<br>
The right approach of cause is not to have the OTP
stored in kickstart but rather parameterized in some
way. In Satellite 6 (that we are looking at) this will
be done via Foreman and its smart proxies. The design is
not polished yet but we hope that we would be able to
limit the exposure of the OTPs there. <br>
<br>
Also a new provisioning method has been added in FreeIPA
3.2 mostly for re-provisioning - ability to provision if
you already have a keytab.<br>
This method will be sort of equivalent to what you are
asking with a cert. But instead of the cert you would
need to get keytab first by creating a host and then
using ipa-getkeytab command and passing keytab to the
kickstart. That can be done now and would address the
issue you are concerned about.<br>
</div>
</blockquote>
<div>Hi Dimitri (or anyone who knows),</div>
<div> </div>
<div>Is there anyway except for waiting for RHEL 6.5 to get
FreeIPA 3.2+ running in production? Really keen to get the
re-provisioning functionality up and running but don't
want to run it on Fedora. Also can you generate a keytab
with ipa-getkeytab before you enrol a host, possibly when
you add a host to the ipa-server for the first time? Or is
the pattern provision with OTP first then backup keytab
and provision with keytab after?</div>
</div>
</div>
</div>
</blockquote>
<br>
Sorry I am a bit behind with the e-mails.<br>
<br>
1) 3.2 is in RHEL7 not 6.5<br>
2) If you need it earlier you/we would have to backport but you need
to go via "official" channels for this to happen in RHEL<br>
3) AFAIR one should be able to add a host and then user
ipa-getkeytab for it, deliver keytab to the host and use it for
enrollment. This should work. If not IMO it is a bug. But I am not
sure why you need it. The flow is the same as with OTP but more
complex permissions wise. I mean getting OTP is simple, you can get
it as a part of the host add while getting keytab requires separate
call and privileges to actually get the keytab for the host.<br>
<br>
<br>
<br>
<blockquote
cite="mid:CA+W6xevvchnXG8RVF219TJCe6ZYCjTZd-KSvNCRK5uSBeMd+Hg@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<div>Thanks,</div>
<div>Charlie </div>
<blockquote style="margin:0px 0px 0px
0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid"
class="gmail_quote">
<div text="#000000" bgcolor="#FFFFFF"> <br>
<br>
HTH<br>
<br>
Thanks,<br>
Dmitri<br>
<blockquote type="cite">
<div class="im">
<div><font face="Arial"><span>Cheers</span></font></div>
<div> </div>
<div align="left"><font face="Arial">Duncan Innes</font></div>
<div> </div>
<br clear="all">
This message has been checked for viruses and spam
by the Virgin Money email scanning system powered by
Messagelabs.<br>
<br>
<br>
<br>
This e-mail is intended to be confidential to the
recipient. If you receive a copy in error, please
inform the sender and then delete this message.<br>
<br>
Virgin Money plc - Registered in England and Wales
(Company no. 6952311). Registered office - Jubilee
House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin
Money plc is authorised by the Prudential Regulation
Authority and regulated by the Financial Conduct
Authority and the Prudential Regulation Authority.<br>
<br>
The following companies also trade as Virgin Money.
They are both authorised and regulated by the
Financial Conduct Authority, are registered in
England and Wales and have their registered office
at Discovery House, Whiting Road, Norwich NR4 6EJ:
Virgin Money Personal Financial Service Limited
(Company no. 3072766) and Virgin Money Unit Trust
Managers Limited (Company no. 3000482).<br>
<br>
For further details of Virgin Money group companies
please visit our website at <a
moz-do-not-send="true"
href="http://virginmoney.com" target="_blank">virginmoney.com</a><br>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
Freeipa-users mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
<span class="HOEnZb"><font color="#888888"> </font></span></blockquote>
<span class="HOEnZb"><font color="#888888"> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>