Diese Nachricht wurde eingewickelt um DMARC-kompatibel zu sein. Die eigentliche Nachricht steht dadurch in einem Anhang.
This message was wrapped to be DMARC compliant. The actual message text is therefore in an attachment.
--- Begin Message ---On Thursday, 7 July 2022 08:12:54 CEST Diego Zuccato wrote: > Hi all. > > Is there a preferred way to pass a (different) secret to every host > being installed? > > Something to implement a workflow like: > - admin asks Salt to (re)install a host > - salt handles shutdown and switch reconfiguration (OT) > - salt tells FAIserver to enable install of given host > - FAI generates the secret and passes it back to Salt (or Salt generates > the secret and passes it to FAI, as long there's a shared secret) > - the host boots via network and installs as usual, saving/using the > given secret > - FAI (or the reinstalled host) tells Salt reinstall is complete and > Salt "cleans up" (reconfig switches & so on) (OT) > > The only "solution" I could find is to save the secret in > /srv/tftp/fai/pxelinux.cfg/C0A8xxyy in append line, like FAI_FLAGS, > FAI_CONFIG_SRC and FAI_ACTION, but since append line can be at most 255 > chars there's not much space... I's good just for very small "secrets" > (that gets transferred in the clear, hence the need to reconfigure the > switches). I am asking at the beginning (with a script in `class` using dialog) for username and password for the salt api and save a cookie which I later use in a script to get the salt key for the host. The relevant part in the cookie contains of 97 chars and base64 encoded it gets 134 chars therefore it might still be too long. Maybe encrypt the cookie file and pass the password for decryption which could be short enough. Or just make the time the cookie is valid very short. regards Markus Köberl -- Markus Koeberl Graz University of Technology Signal Processing and Speech Communication Laboratory E-mail: [email protected]
smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
