[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Administrating maschines in the Skolelinux network


While working on integrating kerberos support into Skolelinux, I thought
of some machnism to integrate new maschines into the Skolelinux network
and administrate them.

My thoughs: :-)

 At first: I'm working on integrating MIT kerberos into debian-edu,
           as I know about that implementation, and have it running
	   at home and use/control a big installation at our university.
   	   I know about heimdal, but do not like things done there
   	   (e.g. store keytabs in LDAP, because it does break the
   	    kerberos idea in my optinion and open another security hole).
           This is my personal opinion, I know there are others thinging
	   I'm rather far integrating kerberos into SLX and I think,
	   that I'll build a debian-package that adds kerberos support,
	   if I've finished. My last problem is an expect script, if
	   anyone here knows about that stuff, please let me know

 1. If we want kerberos, we have to thing about some mechanism to
    distribute client/host keytabs.
    My idea was to generate a set of ssh-keys on tjener at the
    end of installation with no password set 
    (ssh-keygen -t dsa -b 2048 -N "" -f /root/.ssh/id_dsa)
    and put the public key (id_dsa.pub) into at directory apache can
    access (e.g. /var/www).
    On the workstation/terminalserver installation their should be
    downloaded the id_dsa.pub file and put into /root/.ssh so you
    can access all client maschines without password from tjener.
    To avoid a big security hole, we have to permit "normal" users
    to access tjener via ssh.
    (Possible with adding "AllowGroups root admins" into sshd_config).
 2. If a workstation/terminalserver is installed, you have to log into
    webmin and "add" the maschine into the skolelinux network.
    You pick up a class (server (e.g. printserver), terminalserver or
    workstation), offer a MAC-Address and a hostname and click "Add".

    The following should be done by that script:
     * enter the hostname and MAC into the dhcpd and reload the config
     * enter the hostname into the correct netgroup, to allow NFS access
     * generate keytab and distribute it to the installed maschine.

 3. If I find time, I'll try to use on of our perl-scripts and hack
    something together, doing that. :-)

I would like to get some comments to that ideas.
I thought about all that stuff with the background, not to break
anything and not to open any security hole.

	Follow the white penguin.

Reply to: