Security settings

You can configure global settings for provisioning.

This chapter only mentions notable settings.

Additional resources

Configuring the security token validity duration

When performing any kind of provisioning, as a security measure, orcharhino automatically generates a unique token and adds this token to the OS installer recipe URL in the PXE configuration file (PXELinux, Grub2). By default, the token is valid for 360 minutes. When you provision a host, ensure that you reboot the host within this time frame. If the token expires, it is no longer valid and you receive a 404 error and the operating system installer download fails.

Procedure

  1. In the orcharhino management UI, navigate to Administer > Settings, and click the Provisioning tab.

  2. Find the Token duration option and click the edit icon and edit the duration, or enter 0 to disable token generation. If token generation is disabled, an attacker can spoof client IP address and download OS installer recipe from orcharhino Server, including the encrypted root password.

Setting a default encrypted root password for hosts

If you do not want to set a plain text default root password for the hosts that you provision, you can use a default encrypted password.

The default root password can be inherited by a host group and consequentially by hosts in that group.

If you change the password and reprovision the hosts in the group that inherits the password, the password will be overwritten on the hosts.

Procedure

  1. Generate an encrypted password:

    $ python3 -c 'import crypt,getpass;pw=getpass.getpass(); print(crypt.crypt(pw)) if (pw==getpass.getpass("Confirm: ")) else exit()'

  2. Copy the password for later use.

  3. In the orcharhino management UI, navigate to Administer > Settings.

  4. On the Settings page, select the Provisioning tab.

  5. In the Name column, navigate to Root password, and click Click to edit.

  6. Paste the encrypted password, and click Save.

The text and illustrations on this page are licensed by ATIX AG under a Creative Commons Attribution Share Alike 4.0 International ("CC BY-SA 4.0") license. This page also contains text from the official Foreman documentation which uses the same license ("CC BY-SA 4.0").