Hi Robert, > > Thanks a lot. So the actual command is secured. In order to secure > > the NFS mount one can use NFS 4 which supports Kerberos for > > encryption and authentication. > Theoretically yes. In practice, I'm not sure if 'fai -N softupdate' does > support the 'sec=krb5p' option or if it allows fallback on this option > if the NFS server requests it. A quick glance through the FAI man pages > didn't reveal anything helpful in this regard.
I just didn't find anything, either. So I don't know if I really could use Kerberos underlying NFS in this way. > Perhaps when establishing an Kerberos NFSv4 mount *before* running the > fai softupdate would trick FAI into using the already established, > secure connection? I'm not sure and it scales badly. Maybe, you could have a permanent NFSv4 mount, and then set FAI_CONFIG_SRC to some file://path URL? In this way, you would avoid the costs of repeatedly setting up the secure connection. The server would have to handle a large number of mounts, but most of them would be silent most of the time. > Regarding the deployment of crypto keys: Many people use FAI with > Cfengine. FAI installs the base system and then Cfengine handles all the > rest. Granted, the learning curve of Cfengine is steep, but it can do > *everything* for you, leading to a complete hands-off configuration > management - including the secure distribution of secrets, if done right > (the Cfengine protocol is always encrypted btw.). Yes. I know someone who uses FAI with Puppet in a similar way. (He did not use CfEngine because he needed LDAP support, and that is available in the commercial version of CfEngine only.) Regards, Jan -- Prof. Dr. Jan Bredereke Hochschule Bremen, Fak. 4, Flughafenallee 10, D-28199 Bremen.
