I'm not sure how you would gain anything on the cert auto-signing. In both cases, without some additional authorization, the assumption is that DNS and/or DHCP are trusted and that the network is locked down. Without that, you don't want to be auto-registering *anything*.
If you're already joining a machine to a Kerberos realm, then you're probably either doing it at install time using a first layer authorization subsystem (razor type install), or you're hopping on after the fact to register the system, or you're using Puppet to do it. Even the FreeIPA client registration requires someone with a valid Realm trust to execute it or an embedded password that expires after the first use that is snagged using Kickstart fun (and thus potentially interceptable). All in all, it's just a hard problem. On Tue, Jun 11, 2013 at 6:54 PM, Wil Cooley <[email protected]> wrote: > > On Jun 5, 2013 12:18 PM, "Trevor Vaughan" <[email protected]> wrote: > > > > Given that you're going to be using client certs for encryption, why > would you bother with Kerberos authentication? > > This is what I was wondering as I read this too. One benefit I could see > (but at a much smaller scoped project) is the ability to securely auto-sign > certs. > > If you're already joining a machine to a Kerberos realm, it would be one > less step if you could use that trust to provide validation for signing > Puppet's client cert. Might be a bigger win for Windows systems, where > Kerberos is all but required. > > Wil > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/puppet-dev?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 [email protected] -- This account not approved for unencrypted proprietary information -- -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
