Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes #37121 - Automatically secure the DHCP OMAPI interface #827

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

ekohl
Copy link
Member

@ekohl ekohl commented Jan 30, 2024

The tsig-keygen command can be used to generate a TSIG key to secure the OMAPI communication.

This is a draft since I realized I need to rewrite some things. Initially it was based on theforeman/foreman-documentation#2709 but then reading the manual I realized dnssec-keygen in Fedora can no longer create TSIG keys. Luckily, tsig-keygen also exists on EL8. Probably also on Debian/Ubuntu.

Another thing I realized was the very complex permission model. It would be way easier if puppet-dhcp creates a separate file for the OMAPI key with strict permissions and the regular DHCP file only includes that. This would allow us to drop the posix ACLs.

@ekohl ekohl force-pushed the 37121-auto-secure-dhcp-omapi branch 3 times, most recently from 2716643 to fadca3d Compare May 17, 2024 15:12
The tsig-keygen command can be used to generate a TSIG key to secure the
OMAPI communication.
@ekohl ekohl force-pushed the 37121-auto-secure-dhcp-omapi branch from fadca3d to e8ac296 Compare July 20, 2024 13:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant