We distribute secrets via configuration management (in our case, via Cfengine).

During the first reboot after FAI the Cfengine client registers itself to the Cfengine server and pulls its credentials from a dedicated part of the repository. In Cfengine, it is possible to restrict the allowed ip addresses for self registration as well as for repository access. Each host is assigned a dedicated host-specific "secure repository" where all credentials are stored, to which other clients do not have access.

So when a host is about to be installed, the hosts ip address is manually enabled and immediately disabled after self registration is complete.

This system is far from bullet proof, with the highest risk being a race condition during the self-registration phase of the client. All further repository access is authenticated and encrypted.

With a clever combination of timing and faking the ip address of the legitimate client, one could take advantage of this race condition. But even then, this would attract attention, because the legitimate client couldn't self-register anymore.

Another downside is that this system doesn't scale well. Credentials have to be placed manually for all hosts and hosts have to be enabled manually as well. We could write some kind of management interface to further automate this, but with about 70 hosts that are not reinstalled on a daily basis, there is simply no necessity for this.

Cheers,


Robert



Am 07.07.22 um 08:12 schrieb Diego Zuccato:
Hi all.

Is there a preferred way to pass a (different) secret to every host being installed?

Something to implement a workflow like:
- admin asks Salt to (re)install a host
- salt handles shutdown and switch reconfiguration (OT)
- salt tells FAIserver to enable install of given host
- FAI generates the secret and passes it back to Salt (or Salt generates the secret and passes it to FAI, as long there's a shared secret) - the host boots via network and installs as usual, saving/using the given secret - FAI (or the reinstalled host) tells Salt reinstall is complete and Salt "cleans up" (reconfig switches & so on) (OT)

The only "solution" I could find is to save the secret in /srv/tftp/fai/pxelinux.cfg/C0A8xxyy in append line, like FAI_FLAGS, FAI_CONFIG_SRC and FAI_ACTION, but since append line can be at most 255 chars there's not much space... I's good just for very small "secrets" (that gets transferred in the clear, hence the need to reconfigure the switches).


Antwort per Email an