[Freeipa-devel] About private ssh host keys in IPA

Fri Jun 1 13:40:00 UTC 2012

On Jun 1, 2012, at 6:35 AM, "Stephen Gallagher" <sgallagh at redhat.com> wrote:

> On Fri, 2012-06-01 at 09:24 -0400, Simo Sorce wrote:
>> This is about Ticket 1978 (originally rhbz746036).
>> 
>> This RFE asks for storing private SSH Host Keys in FreeIPA.
>> 
>> We have been triaging this ticket today, and I have to admit I am biased
>> toward simply closing down the ticket.
>> 
>> However we want to reach out community and interested parties that
>> opened the tick to understand if there are reasons strong enough to
>> consider implementing it.
>> 
>> The reason I am against this is that in FreeIPA we already provide
>> public Key integration. This means that when the host is re-installed
>> new keys are loaded in IPA and clients do not get the obnoxious warning
>> message that keys have changed, because enrolled clients (with the
>> appropriate integration bits) trust FreeIPA so they do not need to ask
>> the user to confirm on a key change.
>> 
>> Storing Private Keys poses various liability issues, in order to be able
>> to restore keys you need to give access to those keys to an admin, as
>> there is no other way to authenticate just the host itself (it was just
>> blown away and reinstalled).
>> This means any admin account that can perform reinstalls need to have
>> access to *read* private keys out of LDAP, which means that
>> A) The central tenet of Asymetric authentication is that private keys
>> are 'private'.
>> B) keys are readable from LDAP to some accounts, any slight error in
>> ACIs would risk exposing all private keys.
>> C) most probably low level (junior admin) accounts will have read access
>> to pretty much all private keys, because those admins are the one tasked
>> with re-installs. However those admins are also the ones less trusted,
>> yet by giving them access to private keys they are enabled to perform
>> MITM attacks against pretty much any of the machines managed by FreeIPA.
>> 
>> For these reasons I am against storing SSH Private Keys. I would like to
>> know what are the reasons to instead implement this feature and the
>> security considerations around those reasons.
>>> From my point of view the balance between feature vs security issues
>> trips in disfavor of implementing the feature but I am willing to be
>> convinced otherwise if there are good reasons to, and security issues
>> can be properly addressed with some clever scheme.
> 
> 
> For the record, I am also in favor of just closing the ticket. It's much
> safer and wiser to require re-provisioning of the public key in the
> FreeIPA server than it is to try storing the private key. I suspect that
> when we had the original conversation on IRC, it was before we had
> decided that FreeIPA would be managing public keys. I am firmly against
> ever storing host private keys in a central location.

+1

I am also for the public and against the private.