Anonymous kerberos and bootstrapping new hosts - how to?

[Nico Williams]

Roland Dowdeswell's krb5_admin and krb5_keytab tool suite support
bootstrapping and changing host keys using N-way Diffie-Hellman key
exchanges (which includes support for race-free clustered host key
updates).

Bootstrapping keys requires a locally-defined (site-specific) process
for verifying host identity.  That process can be as simple as "any
host gets to bootstrap keys for any host-based principal for which
there are no keys yet and which exists in DNS" to "confirm host
identity via service processors automatically" (e.g., if you have a
datacenter with a gateway'ed service processor network so you can
trust that if you can reach a service processor you are talking to a
racked server, so then you leverage datacenter physical access
policies) to "a sysadmin must manually confirm the host identity".  A
key is bootstrapped before the host identification process, using a
principal name derived from the N-way DH exchange, so, for example, if
you can get console access via a gateway'ed service processor then you
can use that key to complete the bootstrap process securely.

See:

http://oskt.secure-endpoints.com/
https://github.com/elric1/

Nico
--