On 01/26/2012 08:54 AM, Adam Young wrote: > On 01/24/2012 09:11 PM, ~Stack~ wrote: >> Crud. This looks like it could be difficult. I don't preserve anything >> on those machines. At least not right now... > It is a boot strap issue. For a shared nothing boot like you are > doing, there needs to be a way for the new machine to securely get its > identity. > > Ideally, PXE boot would give you the option to somehow store a private > key in the BIOS and present a certificate during boot. If it did that, > you could then set up a secure way to tell the IPA server "I am still > who I claimed I was before" and fetch all of your secure data during the > start up process. > > Assuming your data center is locked down and a rouge machine cannot PXE > boot on your local interface, what you would need is probably a way to > push down a one time password to the booting machine so that it could > then use that to refetch its keytab from the IPA server. Not something > currently supported (only happens during register). > > You can unregister and then register the machines when you reboot them. > I am pretty sure that you don't really want to do that, though.
Thanks for the reply. I actually had a spark pop into my head last night as I was trying to doze off to sleep. Tried it today and it works rather well. I realize there are probably a few security risks here, but it is the best I have come up with so far and I have done my best to mitigate the obvious ones. I have declared in my dhcpd that only certain MAC addresses can PXEboot. This is working well and non-defined MAC's are not able to PXEboot. In my kickstart file, that is pushed out over the PXEboot, I have an SSH key inside. That key only authenticates against an account that is configured with scponly and the account is locked down for read only. During the kickstart post script section, I have the box pull down the settings it needs from a `hostname`.tgz file over scp.  https://github.com/scponly/scponly/wiki I haven't figured out all the settings that IPA needs, but pulling the host identifiers, the ntp config, ect works really well for the time being. Is there a handy list of conf files that I need to bundle up? I looked for such a list and saw mention of various files in various places but not a complete list. Have I just missed that in my search-fu? Thanks again! ~Stack~
Description: OpenPGP digital signature
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users