Automating creation of service principals (new hosts, etc)

Simon Wilkinson simon at sxw.org.uk
Mon Jan 14 12:22:21 EST 2008 

On 14 Jan 2008, at 16:17, Jeff Blaine wrote:
> How are people approaching the creation of host/host.foo.com
> without human intervention?

There have been a couple of talks on this subject at recent AFS &  
Kerberos Best Practices Workshops:
http://workshop.openafs.org/afsbpw05/talks/kerb-auto.html (slides at  
http://www.dice.inf.ed.ac.uk/publications/AFSWorkshop-2005/ 
AFSWorkshop.pdf )
and
http://workshop.openafs.org/afsbpw07/talks/bbense.pdf

The first link describes what we do here in Informatics @ Edinburgh  
University. We have a complex machine configuration system which  
installs, and customises, the operating system. At the end of that  
installation process, the machine prompts the user for a set of  
administrative credentials, and then uses those to create a principal  
for 'hostclient/machine.inf.ed.ac.uk'. The machine's configuration  
system then uses this hostclient principal to fetch key material for  
all service principals that the machine should have. Permissions over  
which principals to fetch are controlled by our central configuration  
database, which maintains a record of which services a machine runs,  
and therefore which principals a machine may be allowed. In addition,  
a hostclient/<machine> principal may only fetch keys for */<machine>  
principals.

This obviously requires attended installation - part of our  
installation procedure is that a member of staff goes to each machine  
once installation is complete, and checks its console, so this isn't  
a huge burden for us.

We did design, but never deployed, an alternative system which used  
the MAC address of the machine to control access to the initial key  
material. In this scheme, an administrator would tell a central  
daemon which machines were about to be installed - this would fetch  
the configuration details of these machines from a central database.  
As each machine completed installation, it would send a request to  
the daemon for key material for the hostclient principal. Only one  
request per machine would be permitted - multiple requests would be  
reported as security violations, and requests would have to come from  
the correct MAC address. This is obviously less secure than our  
current solution, but has the advantage that it allows unattended  
installation of large numbers of machines.

Hope that helps,

Simon.

More information about the Kerberos mailing list