Administrating maschines in the Skolelinux network
Hi!
While working on integrating kerberos support into Skolelinux, I thought
of some machnism to integrate new maschines into the Skolelinux network
and administrate them.
My thoughs: :-)
At first: I'm working on integrating MIT kerberos into debian-edu,
as I know about that implementation, and have it running
at home and use/control a big installation at our university.
I know about heimdal, but do not like things done there
(e.g. store keytabs in LDAP, because it does break the
kerberos idea in my optinion and open another security hole).
This is my personal opinion, I know there are others thinging
different.
I'm rather far integrating kerberos into SLX and I think,
that I'll build a debian-package that adds kerberos support,
if I've finished. My last problem is an expect script, if
anyone here knows about that stuff, please let me know
1. If we want kerberos, we have to thing about some mechanism to
distribute client/host keytabs.
My idea was to generate a set of ssh-keys on tjener at the
end of installation with no password set
(ssh-keygen -t dsa -b 2048 -N "" -f /root/.ssh/id_dsa)
and put the public key (id_dsa.pub) into at directory apache can
access (e.g. /var/www).
On the workstation/terminalserver installation their should be
downloaded the id_dsa.pub file and put into /root/.ssh so you
can access all client maschines without password from tjener.
To avoid a big security hole, we have to permit "normal" users
to access tjener via ssh.
(Possible with adding "AllowGroups root admins" into sshd_config).
2. If a workstation/terminalserver is installed, you have to log into
webmin and "add" the maschine into the skolelinux network.
You pick up a class (server (e.g. printserver), terminalserver or
workstation), offer a MAC-Address and a hostname and click "Add".
The following should be done by that script:
* enter the hostname and MAC into the dhcpd and reload the config
* enter the hostname into the correct netgroup, to allow NFS access
* generate keytab and distribute it to the installed maschine.
3. If I find time, I'll try to use on of our perl-scripts and hack
something together, doing that. :-)
I would like to get some comments to that ideas.
I thought about all that stuff with the background, not to break
anything and not to open any security hole.
Ciao
Max
--
Follow the white penguin.
Reply to: