Re: [Freeipa-users] Client Certificate
Yes Dmitri these two hints would definitely help, the servers are not 4.x yet though. On 19 September 2014 23:14, Dmitri Pal d...@redhat.com wrote: On 09/19/2014 04:03 PM, Walid wrote: Thank you all, will investigate the requirements of host keytabs, and if there is a way around it by having it shared but secure for our context. Couple hints. 1. If you have a keytab stashed and the system was rebuilt you can now rerun ipa-client-install using this keytab to get a new one and configure the client system. It can run and then die but if you store the keytab after running ipa-client-install you would be able to revive it next time 2. In 4.1 you will be able to retrieve same keytab using ipa-getkeytab command. It is implemented to allow clusters that have to share the same key but it might be applicable to your use case too. Thanks Dmitri On 18 September 2014 23:04, Dmitri Pal d...@redhat.com wrote: On 09/18/2014 10:12 AM, Walid A. Shaari wrote: Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to know that the client is part of the domain, no need to enroll a node with a certificate. and services will be mostly hpc mpi and ssh, not required to have an SSL certificate for secure communication. is it possible to get rid of the client certificate and the requirements for clients to enroll? or there are other uses for the certificate that i am not aware of ? regards Walid I think the main problem is making sure that the client can connect to IPA server. You can elect to not use ipa-client and just copy configuration files. The problem is that SSSD requires some type of the authentication to get to IPA as a host to do the lookups. So this connection must be authenticated. Since you want it to be stateless you do not want to manage keys or certs the only option (which I really do not like) is to use bind password in a file for LDAP connection. You would probably use the same unprivileged account for this bind. However when we get to 4.x you would need to adjust permissions on the server side to make sure that proper read permissions are granted. Having a password in a file is a security risk so make sure it is not leaked. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
On 09/19/2014 04:03 PM, Walid wrote: Thank you all, will investigate the requirements of host keytabs, and if there is a way around it by having it shared but secure for our context. Couple hints. 1. If you have a keytab stashed and the system was rebuilt you can now rerun ipa-client-install using this keytab to get a new one and configure the client system. It can run and then die but if you store the keytab after running ipa-client-install you would be able to revive it next time 2. In 4.1 you will be able to retrieve same keytab using ipa-getkeytab command. It is implemented to allow clusters that have to share the same key but it might be applicable to your use case too. Thanks Dmitri On 18 September 2014 23:04, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 09/18/2014 10:12 AM, Walid A. Shaari wrote: Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to know that the client is part of the domain, no need to enroll a node with a certificate. and services will be mostly hpc mpi and ssh, not required to have an SSL certificate for secure communication. is it possible to get rid of the client certificate and the requirements for clients to enroll? or there are other uses for the certificate that i am not aware of ? regards Walid I think the main problem is making sure that the client can connect to IPA server. You can elect to not use ipa-client and just copy configuration files. The problem is that SSSD requires some type of the authentication to get to IPA as a host to do the lookups. So this connection must be authenticated. Since you want it to be stateless you do not want to manage keys or certs the only option (which I really do not like) is to use bind password in a file for LDAP connection. You would probably use the same unprivileged account for this bind. However when we get to 4.x you would need to adjust permissions on the server side to make sure that proper read permissions are granted. Having a password in a file is a security risk so make sure it is not leaked. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
Thank you all, will investigate the requirements of host keytabs, and if there is a way around it by having it shared but secure for our context. On 18 September 2014 23:04, Dmitri Pal d...@redhat.com wrote: On 09/18/2014 10:12 AM, Walid A. Shaari wrote: Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to know that the client is part of the domain, no need to enroll a node with a certificate. and services will be mostly hpc mpi and ssh, not required to have an SSL certificate for secure communication. is it possible to get rid of the client certificate and the requirements for clients to enroll? or there are other uses for the certificate that i am not aware of ? regards Walid I think the main problem is making sure that the client can connect to IPA server. You can elect to not use ipa-client and just copy configuration files. The problem is that SSSD requires some type of the authentication to get to IPA as a host to do the lookups. So this connection must be authenticated. Since you want it to be stateless you do not want to manage keys or certs the only option (which I really do not like) is to use bind password in a file for LDAP connection. You would probably use the same unprivileged account for this bind. However when we get to 4.x you would need to adjust permissions on the server side to make sure that proper read permissions are granted. Having a password in a file is a security risk so make sure it is not leaked. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Client Certificate
Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to know that the client is part of the domain, no need to enroll a node with a certificate. and services will be mostly hpc mpi and ssh, not required to have an SSL certificate for secure communication. is it possible to get rid of the client certificate and the requirements for clients to enroll? or there are other uses for the certificate that i am not aware of ? regards Walid -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
Walid A. Shaari wrote: Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to know that the client is part of the domain, no need to enroll a node with a certificate. and services will be mostly hpc mpi and ssh, not required to have an SSL certificate for secure communication. is it possible to get rid of the client certificate and the requirements for clients to enroll? or there are other uses for the certificate that i am not aware of ? Yes, you don't need to obtain a machine certificate. In fact we have stopped doing this upstream. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and 3 clients? On 18 September 2014 17:43, Rob Crittenden rcrit...@redhat.com wrote: Walid A. Shaari wrote: Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to know that the client is part of the domain, no need to enroll a node with a certificate. and services will be mostly hpc mpi and ssh, not required to have an SSL certificate for secure communication. is it possible to get rid of the client certificate and the requirements for clients to enroll? or there are other uses for the certificate that i am not aware of ? Yes, you don't need to obtain a machine certificate. In fact we have stopped doing this upstream. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
On Thu, 18 Sep 2014 18:49:44 +0300 Walid A. Shaari walid.sha...@linux.com wrote: Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and 3 clients? The X509 certificate has always been provided as a commodity but never required. Keytabs are the only thing we require. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
Walid A. Shaari wrote: Great Rob, would that be still doable with RHEL5 and RHEL6 ipa 2, and 3 clients? Sure, the cert isn't used anyway but it isn't optional to have certmonger try to get one. If you really care you can run a command to tell certmonger to stop tracking the cert though: # ipa-getcert stop-tracking -d /etc/pki/nssdb -n 'IPA Machine Certificate - client.example.com' That doesn't remove the certificate from the database. If you want to do that do: # certutil -D -d /etc/pki/nssdb/ -n 'IPA Machine Certificate - client.example.com' And you might to revoke the cert. To do that you'd use ipa cert-revoke serial number. You need pretty high privileges to do that though (admin has them). rob On 18 September 2014 17:43, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Walid A. Shaari wrote: Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to know that the client is part of the domain, no need to enroll a node with a certificate. and services will be mostly hpc mpi and ssh, not required to have an SSL certificate for secure communication. is it possible to get rid of the client certificate and the requirements for clients to enroll? or there are other uses for the certificate that i am not aware of ? Yes, you don't need to obtain a machine certificate. In fact we have stopped doing this upstream. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
hi, On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com wrote: Yes, you don't need to obtain a machine certificate. In fact we have stopped doing this upstream. Do you mean ipa will not have a CA in the future? Or will it be optional? Or am I misunderstanding this :-) ? I quite like the CA stuff in ipa, actually. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
On Thu, 18 Sep 2014, Natxo Asenjo wrote: hi, On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com wrote: Yes, you don't need to obtain a machine certificate. In fact we have stopped doing this upstream. Do you mean ipa will not have a CA in the future? Or will it be optional? Or am I misunderstanding this :-) ? I quite like the CA stuff in ipa, actually. host certificate is not used for anything right now, so it is removed in 4.x. All the rest is in place and CA can be external one. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
Natxo Asenjo wrote: hi, On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Yes, you don't need to obtain a machine certificate. In fact we have stopped doing this upstream. Do you mean ipa will not have a CA in the future? Or will it be optional? Or am I misunderstanding this :-) ? I quite like the CA stuff in ipa, actually. No, don't worry, the CA isn't going anywhere :-) On the client right now we retrieve a certificate for host identity and store it in /etc/pki/nssdb. We did this for future proofing and here we are, pretty far in the future, and we've never used it. So we decided to stop generating it. If on the off chance it turns out we're wrong and someone has actually found a use for that certificate it can be quite easily generated using ipa-getcert after the client is enrolled. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
On 09/18/2014 10:12 AM, Walid A. Shaari wrote: Hi, we are going to have a use case of diskless HPC clients that will use the IPA for lookups, I was wondering if i can get rid of the state-fulness of the client configuration as much as possible as it is more of a cattle than pets use case. that is i do not need to know that the client is part of the domain, no need to enroll a node with a certificate. and services will be mostly hpc mpi and ssh, not required to have an SSL certificate for secure communication. is it possible to get rid of the client certificate and the requirements for clients to enroll? or there are other uses for the certificate that i am not aware of ? regards Walid I think the main problem is making sure that the client can connect to IPA server. You can elect to not use ipa-client and just copy configuration files. The problem is that SSSD requires some type of the authentication to get to IPA as a host to do the lookups. So this connection must be authenticated. Since you want it to be stateless you do not want to manage keys or certs the only option (which I really do not like) is to use bind password in a file for LDAP connection. You would probably use the same unprivileged account for this bind. However when we get to 4.x you would need to adjust permissions on the server side to make sure that proper read permissions are granted. Having a password in a file is a security risk so make sure it is not leaked. -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
hi, On Thu, Sep 18, 2014 at 9:05 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: hi, On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Yes, you don't need to obtain a machine certificate. In fact we have stopped doing this upstream. Do you mean ipa will not have a CA in the future? Or will it be optional? Or am I misunderstanding this :-) ? I quite like the CA stuff in ipa, actually. No, don't worry, the CA isn't going anywhere :-) On the client right now we retrieve a certificate for host identity and store it in /etc/pki/nssdb. We did this for future proofing and here we are, pretty far in the future, and we've never used it. So we decided to stop generating it. If on the off chance it turns out we're wrong and someone has actually found a use for that certificate it can be quite easily generated using ipa-getcert after the client is enrolled. ok. I was thinking on starting a pilot with dot1.x and hosts certificates are usually used for this, so it would be nice to have a cli switch during enrollment. -- groet, natxo -- -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
Natxo Asenjo wrote: hi, On Thu, Sep 18, 2014 at 9:05 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Natxo Asenjo wrote: hi, On Thu, Sep 18, 2014 at 4:43 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Yes, you don't need to obtain a machine certificate. In fact we have stopped doing this upstream. Do you mean ipa will not have a CA in the future? Or will it be optional? Or am I misunderstanding this :-) ? I quite like the CA stuff in ipa, actually. No, don't worry, the CA isn't going anywhere :-) On the client right now we retrieve a certificate for host identity and store it in /etc/pki/nssdb. We did this for future proofing and here we are, pretty far in the future, and we've never used it. So we decided to stop generating it. If on the off chance it turns out we're wrong and someone has actually found a use for that certificate it can be quite easily generated using ipa-getcert after the client is enrolled. ok. I was thinking on starting a pilot with dot1.x and hosts certificates are usually used for this, so it would be nice to have a cli switch during enrollment. Ok, do you have a preference on where the cert would be installed? Currently it is added to /etc/pki/nssdb but we were going to move it to /etc/ipa/nssdb before deciding to drop it altogether. I think if we restore the functionality we'll use the later database. I filed https://fedorahosted.org/freeipa/ticket/4550 rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Client Certificate
On Thu, Sep 18, 2014 at 10:51 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: ok. I was thinking on starting a pilot with dot1.x and hosts certificates are usually used for this, so it would be nice to have a cli switch during enrollment. Ok, do you have a preference on where the cert would be installed? Currently it is added to /etc/pki/nssdb but we were going to move it to /etc/ipa/nssdb before deciding to drop it altogether. I think if we restore the functionality we'll use the later database. I filed https://fedorahosted.org/freeipa/ticket/4550 rob Not really, although having all kind of certificates in /etc/pki is convenient or is where we all expect them to be ... Thanks for taking the time to file the RFE, by the way. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project