Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning
On 03/11/2013 07:43 AM, Dale Macartney wrote: > > > On 03/11/2013 11:39 AM, Christian Horn wrote: > > > > > Dale Macartneyさんが書きました: > >> > >> On 03/11/2013 11:04 AM, Christian Horn wrote: > >>> > >>> How about having service-add/ipa-getkeytab done on the server, > >>> and having the keytab deployed onto the clientsystem using scp from > >>> the server, or via configmanagement? > >> That definitely gets around security concerns, however still requires > >> some manual intervention... the keytab could be pushed using config > >> management, but generating it in the first place still requires work as > >> a trusted user. > > > Yes, but this could be automated. > > If you deploy i.e. with cobbler there were IIRC hooks so one can do > > serverside tasks, as soon as a system gets added. So the secret could > > be embedded in a script there. > In my current lab, I just use my own script which pushes api calls to > rhev to deploy machines. I know there is a way to use a user keytab to > auth to IPA. I could do that and have my provisioning script push the > necessary admin commands and leave the client to pull to the client > during %post... > > I guess it depends on the provisioning model within the organisation. For the things to work right the provisioning service MUST have some behind the scenes interaction with IPA. This is what we always had in mind. Let us say that provisioning system is called P. Setup: 1) Create a principal for P 2) Provision keytab for P 3) Make P use IPA interfaces authenticating as P rpincipal using keytab 4) Make sure P has the right permissions to manage other hosts 5) Make P store IPA public cert Provisioning sequence: 1) User/script requests provisioning of a system 2) P connects to IPA and creates a host entry in IPA, an OTP is returned back 3) P provides IPA public cert for the new machine 4) P inserts OTP into the kickstart for the system to join IPA 5) If provision of the identity fails P should disable host in IPA to make sure that the OTP has not been stolen and used to provision some other fake system. This is how things "should work" in a prefect world. > > > > > Christian > > > ___ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/11/2013 11:39 AM, Christian Horn wrote: > > > > Dale Macartneyさんが書きました: >> >> On 03/11/2013 11:04 AM, Christian Horn wrote: >>> >>> How about having service-add/ipa-getkeytab done on the server, >>> and having the keytab deployed onto the clientsystem using scp from >>> the server, or via configmanagement? >> That definitely gets around security concerns, however still requires >> some manual intervention... the keytab could be pushed using config >> management, but generating it in the first place still requires work as >> a trusted user. > > Yes, but this could be automated. > If you deploy i.e. with cobbler there were IIRC hooks so one can do > serverside tasks, as soon as a system gets added. So the secret could > be embedded in a script there. In my current lab, I just use my own script which pushes api calls to rhev to deploy machines. I know there is a way to use a user keytab to auth to IPA. I could do that and have my provisioning script push the necessary admin commands and leave the client to pull to the client during %post... I guess it depends on the provisioning model within the organisation. > > > Christian > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRPcNdAAoJEAJsWS61tB+qjuUQAK34npb0p8M0U64499r/Y/ZP RswnOiTLgylGv/Lwt3Tb5aNQvA75Qu2i45BBB3q5NuqN6/m7c2Re7HkMQpfzdEhz l72Iytz1m9WG802Ibd77MmTGNX1rapYv9JKb1K9QhQVoPCZHwWye6pXGuGAbacab LXmm0hR3ajZhJwYBh7/6oqaZwXv01qI8Xv/vYmD+ZtDevxmHWeaTGiwUq7gUDCeo B/McDGd6SiT0juPuAzr694eqryRN1qMDsQu9rv8FsBmFaTtW0WQ0JUMrJKdvYNCm O6zCdqJKRI536JNUxm49Zot1K8PnlTgkE0jBHkQJn9XeCt63nr2NUuVRgWjEuoXK FfYsDSEM7SZ3b69WuOnmhKuk697Yn8lMolvWKOFQR/RNa8wa+gNo3uaAXyTnulBv ba0S2Iehd6pBknuyDN8c1xmGcTSaDIgFeXUnKCVYw5rTo4pfLO/g/zTQwK4wvlJB ODhOy/n2BiLh/zDu5qadYdPUTbbKZyrYV/ulrhSiMBqFzc7plsFyMQ1uEnvrRFyE 9VgX92u5h2Vw6+mURWZLdFYp3jTMgOsKe+IX6g85hcNyg7JkuP732FCNPkEjoX4O OSLvx3i2dtSkrKOXKnnf2pHoiRKnzRZ/NVFmOvYHy8Js2WO8TPBXyTkL6bf/Y8QH z/tB69rCpBy80wyTWAKn =B5hc -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning
Dale Macartneyさんが書きました: > > On 03/11/2013 11:04 AM, Christian Horn wrote: > > > > How about having service-add/ipa-getkeytab done on the server, > > and having the keytab deployed onto the clientsystem using scp from > > the server, or via configmanagement? > That definitely gets around security concerns, however still requires > some manual intervention... the keytab could be pushed using config > management, but generating it in the first place still requires work as > a trusted user. Yes, but this could be automated. If you deploy i.e. with cobbler there were IIRC hooks so one can do serverside tasks, as soon as a system gets added. So the secret could be embedded in a script there. Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/11/2013 11:04 AM, Christian Horn wrote: > Hoi, > > Dale Macartneyさんが書きました: >> >> I'm open to hear some opinions and thoughts on what the best way to >> auto-provision service principles in an environment with a 100% >> autonomous build process.. >> >> Lets say for example, I wanted to provision a mail server and configure >> dovecot SSO in the same process. >> >> Obviously something like this would be terrible in a production >> environment as having this in the %post of a kickstart gives away the >> admin password >> >> %post >> echo redhat123 | kinit admin -- >> ipa service-add imap/$(hostname) >> ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k >> /etc/dovecot/krb5.keytab >> >> Is there are more secure way to perform such a task via kickstart or >> other provisioning method? > > How about having service-add/ipa-getkeytab done on the server, > and having the keytab deployed onto the clientsystem using scp from > the server, or via configmanagement? That definitely gets around security concerns, however still requires some manual intervention... the keytab could be pushed using config management, but generating it in the first place still requires work as a trusted user. > > > Christian > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRPcFCAAoJEAJsWS61tB+qqZMP/RM51shHoYGwK+L91OKru61c aJc/ubBt1sCLcnxazDC5nAsuRrKtwGg3b76r2B8FE1Mhi4gBYOm/G5+lLITjiDTx 3BR7Uh9ruTpRkdt1YE1Cptj0aFSL8MUdb/I3f8yPaGbBdLmJL/pXNg44Oz8Kmc2Q ZVxIar5aMpMG+gkHPNNS5jeay867dyV+P3r1RUuYhDQX0ALGBnE69OxZnwdiFkDE G+ZqS8SNORndyMKb+jIzfuasdrL831sfwT7xpODQUzyTGT9OWO1PE6PRfm5wkdpi pWvLE3tvKiokb+fEuQnC6PTCjZfEIR0HWNF1J6eeAYQJ3827dKvA2nISQBD10GUc R3eIVgUszW+8GUpAt9vVqu0PKiTPCUNGV+JCuCBLVVHXlHxkd1PpfMDPtmOCh8Y1 Nk46AyAqJ7UIY45piJTgoRUhYR/sQzcXYSjyQlL4UTFxLE/7iK2DE+GJsdywlWOB qfgWTyWnWjLd9+FJHUe1vSNw/C8VO+eT0mh+s4yIN32QmgdieoHShKQ6eAAh+m46 vXM7YFi+UdUFuMb0lSeCu+DOkASpm4AhoHDQULqQdusQO8orG0vV8JxJtGKa/E/n icBUjTt2IJvV1pNMUKRDNfjqVx7NPulDszOIjaOJ/Y7ohMtFkhpuGQaX/NIQ+zqJ MzQPcBAy1pxeJuJWYJTN =CQBx -END PGP SIGNATURE- ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Discussion: What would be the best way to create service principles via provisioning
Hoi, Dale Macartneyさんが書きました: > > I'm open to hear some opinions and thoughts on what the best way to > auto-provision service principles in an environment with a 100% > autonomous build process.. > > Lets say for example, I wanted to provision a mail server and configure > dovecot SSO in the same process. > > Obviously something like this would be terrible in a production > environment as having this in the %post of a kickstart gives away the > admin password > > %post > echo redhat123 | kinit admin -- > ipa service-add imap/$(hostname) > ipa-getkeytab -s ds01.example.com -p imap/$(hostname) -k > /etc/dovecot/krb5.keytab > > Is there are more secure way to perform such a task via kickstart or > other provisioning method? How about having service-add/ipa-getkeytab done on the server, and having the keytab deployed onto the clientsystem using scp from the server, or via configmanagement? Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
