Re: Func and kerberos

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Apparently my last reply was off-list, so here it is...it's basically what Seth said, though I wrote it without reading his. Seth keyed in on a couple of different points too. 

[snip]
Any datacenter distribution system leaves some room for basic MITM at provisioning time because there is a need for automation. The tradeoffs [in func's implementation] are minimal. Admins know this. Sneakernet and highly manual/fiddly solutions are right out. For instance, it would be possible to MITM a kickstart server. Oh no! You could install anything! Exactly. [More simply: Your machine is an unintelligent piece of metal and has to trust something].
I am assuming the case you are actually worried about is a func minion registering itself to the wrong master. This worry is not significant due to the aforementioned greater concerns -- if you have MITM problems, you can have problems at even earlier in the provisioning cycle. Func's system (which is what puppet does, only more generically so), strikes a good balance of making things actually usable, and in datacenter provisioning cases is NOT a major security risk -- admins are aware of the tradeoffs. If you have MITM capability within your datacenter, lots more damage could be done. You have greater problems. Trust is required at provisioning time to achieve automation. [Non-automated provisioning setups for large datacenters/clusters are a non-starter].
This is supremely better than, say, trading SSH keys in kickstart files -- which many folks want to do already. That in itself is inherrently insecure because of Anaconda's inability to do auth and https://. Again, the provisioning automation scenario reigns. 

--Michael
[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux