On 15/09/11 10:34, Bjorge Solli wrote: > Hi, > > we use kerberos with keytabs on our clients. We do *not* trust root on > the clients! One client should never have access to any other client's > keytab. This is my proposed solution to get the keytabs to the clients, > any comments welcome! > > 1. Use file to get /root/.ssh/authorized_keys > 2. Use exported resource to let the client "notify" the server that it > wants a keytab > 3. On the serverside > 3.1 Generate keytab (if not exist) > 3.2 Push keytab using ssh with key > > Problems: > 1. As far as I understand we can't use file to get the keytab as local > root on clients then could get other client's keytabs. (solved in solution) > 2. Reinstallation. How do I tell the server to push the key once more to > the same client? (not solved in solution) > > A suggestion here is to use a custom fact => has og has not keytab. > > Any other suggetions?
A co-worker suggested using the certs with apache to deny access to all other than the requesting puppet client, and thus eliminate step 3.2 and problem 2 and negate problem 1:-) This will probably be our solution if noone has an even better idea. Regards Bjørge -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
