opsi manual opsi version 4.0.2 - opsi Download - uib
opsi manual opsi version 4.0.2 - opsi Download - uib
opsi manual opsi version 4.0.2 - opsi Download - uib
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>opsi</strong> <strong>manual</strong> <strong>opsi</strong> <strong>version</strong> <strong>4.0.2</strong><br />
which is readable with administrative privileges only.<br />
The <strong>opsi</strong>-host-key is stored at the server in the used backend (e.g at /etc/<strong>opsi</strong>/pckeys).<br />
95 / 193<br />
In addition to this authentication, you may tell the <strong>opsi</strong>confd to check if the client IP address matches the given<br />
FQDN. To activate this check, set at the /etc/<strong>opsi</strong>/<strong>opsi</strong>confd.conf:<br />
verify ip = yes<br />
and reload the <strong>opsi</strong>confd:<br />
/etc/init.d/<strong>opsi</strong>confd reload<br />
Caution<br />
Do not use this feature if you are not really sure, that your name resolution works properly in both directions for<br />
all clients.<br />
12.6 Server authentication at the client<br />
Since <strong>opsi</strong> 4.0.1 there are different possibilities to check the trustworthiness of the contacted server.<br />
Caution<br />
Do not use them in combination. Choose only one way or you will be locked out from your client.<br />
12.6.1 Variant 1: verify_server_cert<br />
At the first contact to a <strong>opsi</strong>-server, the client will accept the given SSL certificate and store it at<br />
C:\<strong>opsi</strong>.org\<strong>opsi</strong>clientd\server-certs.<br />
On any subsequent contact, the client creates a random string and uses the public key of the stored certificate to<br />
encrypt this string (and the own access parameters). These encrypted data will be sent to the server.<br />
The server uses the private key of its own SSL certificate to decrypt the data and sends the decrypted random string<br />
back to the client.<br />
Now the client checks if the correct string was sent back. If not, the communication to the server will be aborted.<br />
You can prevent this way that somebody directs your clients to a wrong server, e.g. by manipulating the DNS. If you<br />
setup a new server, you may migrate the SSL certificate from the old to the new server without problems. And you<br />
must not deploy any certification authority (CA).<br />
The disadvantage of this method is, that a man-in-the-middle attack is still possible.<br />
This security method checks the communication between client and <strong>opsi</strong>-config-server.<br />
Using the <strong>opsi</strong> WAN extension and as clientconfig.depot.protocol webdav, also the communication to the <strong>opsi</strong>depot-server<br />
is checked.<br />
Section 15.3.1<br />
To activate this check, set at the <strong>opsi</strong>clientd.conf in the section [global] the option:<br />
verify_server_cert = true<br />
Run the following command at your <strong>opsi</strong>-config-server to to create this configuration entry for all clients:<br />
<strong>opsi</strong>-admin -d method config_createBool <strong>opsi</strong>clientd.global.verify_server_cert "verify_server_cert" false