Hi Jan, > Thanks a lot. So the actual command is secured. In order to secure > the NFS mount one can use NFS 4 which supports Kerberos for > encryption and authentication. Theoretically yes. In practice, I'm not sure if 'fai -N softupdate' does support the 'sec=krb5p' option or if it allows fallback on this option if the NFS server requests it. A quick glance through the FAI man pages didn't reveal anything helpful in this regard. Perhaps when establishing an Kerberos NFSv4 mount *before* running the fai softupdate would trick FAI into using the already established, secure connection? I'm not sure and it scales badly.
> Did anyone actually try such a fully secured setup and can report here? > > As for the initial installation process, I suppose it cannot be > secured fully. You would have to transfer the crypto keys to the > clients without using the network, i.e., manually. As far as I have > seen, FAI does not provide mechanisms for this. Right, you cannot secure the installation process. The TFTP protocol specification does not allow that (besides from practical challenges), and if using initramfs you are even stuck with NFSv3. Regarding the deployment of crypto keys: Many people use FAI with Cfengine. FAI installs the base system and then Cfengine handles all the rest. Granted, the learning curve of Cfengine is steep, but it can do *everything* for you, leading to a complete hands-off configuration management - including the secure distribution of secrets, if done right (the Cfengine protocol is always encrypted btw.). Cheers, Robert
