Thanks for the update. The reason for weigh in the Kerberos option is to have that as an option to disable if needed, security is more important. I had to say this because there was a question on "why I would disable it".
I agree that the otp should definitely provide some additional layer of security. Let me test and reply back. Thanks again. Gokul Sent from iPhone > On Mar 30, 2015, at 7:48 AM, Dmitri Pal <[email protected]> wrote: > >> On 03/29/2015 10:27 PM, Gokulnath wrote: >> Thanks for getting back. >> >> 1. As security Kerberos can ticket and in memory can be taken and that >> session key >> Can be used to gain access every where. Primarily this because the plan is >> to use the solution in cloud. > > You can use Kerberos in the cloud. It is not worse of better than certs. > If you can read memory of a machine you can (potentially) read its keys. > But this is the general risk that you take going into the cloud regardless > whether you use PKI or Kerberos. > > In general you do not want to store long term keys in the images but rather > add them on the fly when the system is instantiated. > The ipa-client-install with OTP registration code provides this capability. > > It seems that you are trying to overcomplicate things with no obvious reason. > If you need help with picking a better approach lest us know what exactly you > are trying to accomplish. > >> >> 2. Can I disable DNS as well? And have IPA to run only ldap, ssh key >> rotation and pki ? >> >> 3. As during the install, DNS and Kerberos are getting installed and >> configured. >> >> I would really appreciate if you can get back. >> >> Thank you >> Gokul >> Sent from iPhone >> >>>> On Mar 29, 2015, at 8:44 PM, Dmitri Pal <[email protected]> wrote: >>>> >>>> On 03/29/2015 11:50 AM, Gokul wrote: >>>> Hi, >>>> >>>> I am tried to run some of my user cases with FreeIPA. >>>> >>>> Have FreeIPA to do only SSH key management in LDAP and PKI management. >>>> >>>> The understand that every request is kerberized and it has the DNS is must >>>> configuration. >>>> >>>> Can I have FreeIPA to run only SSH Key management with LDAP and a PKI >>>> server with dogtag? >>>> >>>> Thank you >>>> Gokul >>> You can't turn off Kerberos. You would need Kerberos for administration. >>> But other clients can take advantage of LDAP and SSH only. >>> However you are significantly limiting your functionality and capabilities. >>> Kerberos is really the key of the solution. >>> >>> What is the reason you try to avoid using it? >>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> Sr. Engineering Manager IdM portfolio >>> Red Hat, Inc. >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
