On 01/26/2012 08:54 AM, Adam Young wrote:
> On 01/24/2012 09:11 PM, ~Stack~ wrote:
>> Crud. This looks like it could be difficult. I don't preserve anything
>> on those machines. At least not right now...
> It is a boot strap issue.  For a shared nothing boot like you are
> doing,  there needs to be a way for the new machine to securely get its
> identity.
> 
> Ideally, PXE boot would give you the option to somehow store a private
> key in the BIOS and present a certificate during boot.  If it did that,
> you could then set up a secure way to tell the IPA server "I am still
> who I claimed I was before" and fetch all of your secure data during the
> start up process.
> 
> Assuming your data center is locked down and a rouge machine cannot PXE
> boot on your local interface,  what you would need is probably a way to
> push down a one time password to the booting machine so that it could
> then use that to refetch its keytab from the IPA server.  Not something
> currently supported (only happens during register).
> 
> You can unregister and then register the machines when you reboot them. 
> I am pretty sure that you don't really  want to do that, though.

Thanks for the reply.

I actually had a spark pop into my head last night as I was trying to
doze off to sleep. Tried it today and it works rather well. I realize
there are probably a few security risks here, but it is the best I have
come up with so far and I have done my best to mitigate the obvious ones.

I have declared in my dhcpd that only certain MAC addresses can PXEboot.
This is working well and non-defined MAC's are not able to PXEboot.

In my kickstart file, that is pushed out over the PXEboot, I have an SSH
key inside. That key only authenticates against an account that is
configured with scponly[1] and the account is locked down for read only.
During the kickstart post script section, I have the box pull down the
settings it needs from a `hostname`.tgz file over scp.

[1] https://github.com/scponly/scponly/wiki

I haven't figured out all the settings that IPA needs, but pulling the
host identifiers, the ntp config, ect works really well for the time being.

Is there a handy list of conf files that I need to bundle up? I looked
for such a list and saw mention of various files in various places but
not a complete list. Have I just missed that in my search-fu?

Thanks again!
~Stack~

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to