Thanks for the update.

The reason for weigh in the Kerberos option is to have that as an option to 
disable if needed, security is more important. I had to say this because there 
was a question on "why I would disable it".

I agree that the otp should definitely provide some additional layer of 
security. 

Let me test and reply back.

Thanks again.

Gokul

Sent from iPhone

> On Mar 30, 2015, at 7:48 AM, Dmitri Pal <d...@redhat.com> wrote:
> 
>> On 03/29/2015 10:27 PM, Gokulnath wrote:
>> Thanks for getting back.
>> 
>> 1. As security Kerberos can ticket and in memory can be taken and that 
>> session key
>> Can be used to gain access every where. Primarily this because the plan is 
>> to use the solution in cloud.
> 
> You can use Kerberos in the cloud. It is not worse of better than certs.
> If you can read memory of a machine you can (potentially) read its keys.
> But this is the general risk that you take going into the cloud regardless 
> whether you use PKI or Kerberos.
> 
> In general you do not want to store long term keys in the images but rather 
> add them on the fly when the system is instantiated.
> The ipa-client-install with OTP registration code provides this capability.
> 
> It seems that you are trying to overcomplicate things with no obvious reason.
> If you need help with picking a better approach lest us know what exactly you 
> are trying to accomplish.
> 
>> 
>> 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key 
>> rotation and pki ?
>> 
>> 3. As during the install, DNS and Kerberos are getting installed and 
>> configured.
>> 
>> I would really appreciate if you can get back.
>> 
>> Thank you
>> Gokul
>> Sent from iPhone
>> 
>>>> On Mar 29, 2015, at 8:44 PM, Dmitri Pal <d...@redhat.com> wrote:
>>>> 
>>>> On 03/29/2015 11:50 AM, Gokul wrote:
>>>> Hi,
>>>> 
>>>> I am tried to run some of my user cases with FreeIPA.
>>>> 
>>>> Have FreeIPA to do only SSH key management in LDAP and PKI management.
>>>> 
>>>> The understand that every request is kerberized and it has the DNS is must 
>>>> configuration.
>>>> 
>>>> Can I have FreeIPA to run only SSH Key management with LDAP and a PKI 
>>>> server with dogtag?
>>>> 
>>>> Thank you
>>>> Gokul
>>> You can't turn off Kerberos. You would need Kerberos for administration.
>>> But other clients can take advantage of LDAP and SSH only.
>>> However you are significantly limiting your functionality and capabilities.
>>> Kerberos is really the key of the solution.
>>> 
>>> What is the reason you try to avoid using it?
>>> 
>>> 
>>> -- 
>>> Thank you,
>>> Dmitri Pal
>>> 
>>> Sr. Engineering Manager IdM portfolio
>>> Red Hat, Inc.
>>> -- 
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to