LCFG Profile Security Project

June 12, 2018

The various changes necessary to add support for GSSAPI authenticated profile fetching have now been moved from our local dice configuration into the general lcfg area. The new support can be enabled by specifying the LCFG_AUTH_GSSAPI macro at the start of an LCFG source profile. Most of the resources necessary are configured in the lcfg/options/lcfg-client-gssapi.h header file but sites wanting to use this will still need a little additional configuration.

For the installer, support is enabled by setting the lcfg.kauth=1 option on the kernel command line. Those sites using the ed/options/pxeserver.h header will automatically get a menu option which supports this mode. The installer can be be enabled for a client with something like this:

#ifdef LINUX_EL7
!pxeclient.platforms            mREPLACE(sl7,sl7kauth)
!pxeclient.default_label        mSUBST(sl7,sl7kauth)
#endif /* GSSAPI support enabled */
#endif /* LINUX_EL7 */

It is important to note that the lcfg-client-gssapi.h header does not remove http access for the XML profile. That could either be turned off completely for the apache virtual host or a per-client deny all rule could be put into the associated .htaccess file. Also, the default access control for the XML profiles is based on an apache group named lcfgadmins which must be populated on the LCFG servers, for example:

!apacheconf.groups   mADD(lcfgadmins)
!apacheconf.members_lcfgadmins mSET( 

Note that this is a list of admin principals, this is done so the credentials can also be used to register machines in the KDC using the kdcregister tool.

As part of this work I’ve also added the necessary methods to support using kdcregister in the LCFG installer. Most sites use this and have up to now been duplicating the configuration. It can be enabled by specifying the LCFG_OPTIONS_KERBEROS_CLIENT_REGISTER macro prior to including the lcfg/options/kerberos-client.h header file.