Re: C7, encryption, and clevis
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
On 06/08/18 12:01, m.roth@xxxxxxxxx wrote:
Valeri Galtsev wrote:
On 06/08/18 10:27, m.roth@xxxxxxxxx wrote:
John Hodrien wrote:
On Fri, 8 Jun 2018, m.roth@xxxxxxxxx wrote:
We've been required to encrypt h/ds, and so have been rolling that out
over the last year or so. Thing is, you need to put in a password, of
course, to boot the system. My manager found a way to allow us to
reboot without being at the system's keyboard, a package called
clevis. Works fine... except in a couple of very special cases.
Those systems, the problem is that, due to older software, and *very*
expensive licenses that are tied to a MAC address, I have to spoof the
MAC address since my users got new(er) machines.
Clevis is trying to contact its password server, using the *real* MAC
address, but our DHCP has to serve the *spoofed* MAC address. I know,
from trying, that I can't have two entries for the same system. Can
anyone suggest a solution?
Nothing wrong with having two MAC addresses listed for one IP. With
ISC DHCP the label for a host has to be unique, but the hostname doesn't.
The IP's not the problem, it's dhcpd gagging on two entries, two MAC
addresses, for the same server name - think dhcpd.conf.local
When I have a machine that can comes with different MAC addresses, and I
have to give it the same IP, here is what I have in DHCP server
configuration (Mac addresses and IP address are obfuscated below):
# tricky machine
host tricky {
hardware ethernet xx:xx:xx:xx:xx:xx;
fixed-address A.B.C.D;
}
# tricky machine again
host tricky1 {
hardware ethernet yy:yy:yy:yy:yy:yy;
fixed-address A.B.C.D;
}
Hmmm... wonder if it will gag - we don't put the IP in that, that comes
from DNS. The format we use is
host <host <shortname> P hardware ethernet <MAC address>; fixed-address
<fqdn>;}
It will not care if you put hostname (FGDN) instead of IP address -
either is acceptable in config file. FQDN just makes your DHCP server go
for every request it receives where FQDN is involved to DNS server,
whereas if you have static IPs (not rotating all the time Windows gang
like to probably to make compromised machines change their IP all the
time), then you will save unnecessary DNS requests and associated delays
by using IPs.
so if it would work, replace shortname with short and short1?
Yes, that was exactly John's point, I just put my example to make it
more transparent: we all are quicker comprehending actual config files,
than the documentations they were created according to.
Valeri
mark
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
- References:
- C7, encryption, and clevis
- Re: C7, encryption, and clevis
- Re: C7, encryption, and clevis
- Re: C7, encryption, and clevis
- Re: C7, encryption, and clevis
[Index of Archives]
[CentOS]
[CentOS Announce]
[CentOS Development]
[CentOS ARM Devel]
[CentOS Docs]
[CentOS Virtualization]
[Carrier Grade Linux]
[Linux Media]
[Asterisk]
[DCCP]
[Netdev]
[Xorg]
[Linux USB]
|