Hi René, Thanks for the quick response.
> >I am currently evaluating FAI and have a question which I could not > >answer from the documentation: > > > >When I use FAI for configuring some (already installed) clients, can > >I have the communication encrypted? And can I have authentication? > >If the communication can run over Ssh, the the answer to both would > >be "yes". But I did not find anything on how the actual low-level > >communication is done during configuring a client. > > at least in my case yes to both > > I operate a FAI wheezy server with a bunch of wheezy workstations. > For softupdates (which may contain some re-configurations), I > connect to the workstations with ssh and start the softupdate with > "fai -N softupdate". > Then the config space is mounted from the server (nfs) and fai > performs the necessary updates. > > => To automatize it, I have a perl-routine which starts a parallel > softupdate on all hosts. > The routine basically opens an ssh-session on each host and executes > "fai -N softupdate". > For the passwords, an "expect" template is used. I only have to > enter the password at the beginning, then expect will automatically > handle it for each parallel ssh-session. Thanks a lot. So the actual command is secured. In order to secure the NFS mount one can use NFS 4 which supports Kerberos for encryption and authentication. Did anyone actually try such a fully secured setup and can report here? As for the initial installation process, I suppose it cannot be secured fully. You would have to transfer the crypto keys to the clients without using the network, i.e., manually. As far as I have seen, FAI does not provide mechanisms for this. Best regards, Jan -- Prof. Dr. Jan Bredereke Hochschule Bremen, Fak. 4, Flughafenallee 10, D-28199 Bremen.
