On 01/26/2012 08:54 AM, Adam Young wrote: > On 01/24/2012 09:11 PM, ~Stack~ wrote: >> Crud. This looks like it could be difficult. I don't preserve anything >> on those machines. At least not right now... > It is a boot strap issue. For a shared nothing boot like you are > doing, there needs to be a way for the new machine to securely get its > identity. > > Ideally, PXE boot would give you the option to somehow store a private > key in the BIOS and present a certificate during boot. If it did that, > you could then set up a secure way to tell the IPA server "I am still > who I claimed I was before" and fetch all of your secure data during the > start up process. > > Assuming your data center is locked down and a rouge machine cannot PXE > boot on your local interface, what you would need is probably a way to > push down a one time password to the booting machine so that it could > then use that to refetch its keytab from the IPA server. Not something > currently supported (only happens during register). > > You can unregister and then register the machines when you reboot them. > I am pretty sure that you don't really want to do that, though.
Thanks for the reply. I actually had a spark pop into my head last night as I was trying to doze off to sleep. Tried it today and it works rather well. I realize there are probably a few security risks here, but it is the best I have come up with so far and I have done my best to mitigate the obvious ones. I have declared in my dhcpd that only certain MAC addresses can PXEboot. This is working well and non-defined MAC's are not able to PXEboot. In my kickstart file, that is pushed out over the PXEboot, I have an SSH key inside. That key only authenticates against an account that is configured with scponly[1] and the account is locked down for read only. During the kickstart post script section, I have the box pull down the settings it needs from a `hostname`.tgz file over scp. [1] https://github.com/scponly/scponly/wiki I haven't figured out all the settings that IPA needs, but pulling the host identifiers, the ntp config, ect works really well for the time being. Is there a handy list of conf files that I need to bundle up? I looked for such a list and saw mention of various files in various places but not a complete list. Have I just missed that in my search-fu? Thanks again! ~Stack~
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users