Thanks for the update.
The reason for weigh in the Kerberos option is to have that as an option to
disable if needed, security is more important. I had to say this because there
was a question on "why I would disable it".
I agree that the otp should definitely provide some additional layer of
Let me test and reply back.
Sent from iPhone
> On Mar 30, 2015, at 7:48 AM, Dmitri Pal <d...@redhat.com> wrote:
>> On 03/29/2015 10:27 PM, Gokulnath wrote:
>> Thanks for getting back.
>> 1. As security Kerberos can ticket and in memory can be taken and that
>> session key
>> Can be used to gain access every where. Primarily this because the plan is
>> to use the solution in cloud.
> You can use Kerberos in the cloud. It is not worse of better than certs.
> If you can read memory of a machine you can (potentially) read its keys.
> But this is the general risk that you take going into the cloud regardless
> whether you use PKI or Kerberos.
> In general you do not want to store long term keys in the images but rather
> add them on the fly when the system is instantiated.
> The ipa-client-install with OTP registration code provides this capability.
> It seems that you are trying to overcomplicate things with no obvious reason.
> If you need help with picking a better approach lest us know what exactly you
> are trying to accomplish.
>> 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key
>> rotation and pki ?
>> 3. As during the install, DNS and Kerberos are getting installed and
>> I would really appreciate if you can get back.
>> Thank you
>> Sent from iPhone
>>>> On Mar 29, 2015, at 8:44 PM, Dmitri Pal <d...@redhat.com> wrote:
>>>> On 03/29/2015 11:50 AM, Gokul wrote:
>>>> I am tried to run some of my user cases with FreeIPA.
>>>> Have FreeIPA to do only SSH key management in LDAP and PKI management.
>>>> The understand that every request is kerberized and it has the DNS is must
>>>> Can I have FreeIPA to run only SSH Key management with LDAP and a PKI
>>>> server with dogtag?
>>>> Thank you
>>> You can't turn off Kerberos. You would need Kerberos for administration.
>>> But other clients can take advantage of LDAP and SSH only.
>>> However you are significantly limiting your functionality and capabilities.
>>> Kerberos is really the key of the solution.
>>> What is the reason you try to avoid using it?
>>> Thank you,
>>> Dmitri Pal
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>> Manage your subscription for the Freeipa-users mailing list:
>>> Go to http://freeipa.org for more info on the project
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project