[Freeipa-devel] About private ssh host keys in IPA
Sigbjorn Lie
sigbjorn at nixtra.com
Tue Jun 5 21:02:50 UTC 2012
On 06/05/2012 04:38 PM, Jérôme Fenal wrote:
> 2012/6/5 Sigbjorn Lie <sigbjorn at nixtra.com <mailto:sigbjorn at nixtra.com>>
>
>
>
> On Fri, June 1, 2012 15:24, Simo Sorce wrote:
> > This is about Ticket 1978 (originally rhbz746036).
> >
> >
> > This RFE asks for storing private SSH Host Keys in FreeIPA.
> >
> >
> > We have been triaging this ticket today, and I have to admit I
> am biased
> > toward simply closing down the ticket.
> >
> > However we want to reach out community and interested parties that
> > opened the tick to understand if there are reasons strong enough
> to consider implementing it.
> >
> > The reason I am against this is that in FreeIPA we already provide
> > public Key integration. This means that when the host is
> re-installed new keys are loaded in IPA
> > and clients do not get the obnoxious warning message that keys
> have changed, because enrolled
> > clients (with the appropriate integration bits) trust FreeIPA so
> they do not need to ask the user
> > to confirm on a key change.
> >
> > Storing Private Keys poses various liability issues, in order to
> be able
> > to restore keys you need to give access to those keys to an
> admin, as there is no other way to
> > authenticate just the host itself (it was just blown away and
> reinstalled). This means any admin
> > account that can perform reinstalls need to have access to
> *read* private keys out of LDAP, which
> > means that A) The central tenet of Asymetric authentication is
> that private keys
> > are 'private'. B) keys are readable from LDAP to some accounts,
> any slight error in
> > ACIs would risk exposing all private keys.
> > C) most probably low level (junior admin) accounts will have
> read access
> > to pretty much all private keys, because those admins are the
> one tasked with re-installs. However
> > those admins are also the ones less trusted, yet by giving them
> access to private keys they are
> > enabled to perform MITM attacks against pretty much any of the
> machines managed by FreeIPA.
> >
> >
> > For these reasons I am against storing SSH Private Keys. I would
> like to
> > know what are the reasons to instead implement this feature and
> the security considerations around
> > those reasons.
> >> From my point of view the balance between feature vs security
> issues
> >>
> > trips in disfavor of implementing the feature but I am willing
> to be convinced otherwise if there
> > are good reasons to, and security issues can be properly
> addressed with some clever scheme.
> >
>
>
> I think there has been some confusion here. What I was looking for
> was a way to prevent the users
> from receiving a message when ssh'ing into a host that's been
> reinstalled, that the host's key has
> changed.
>
> I believe will become availabe in the future version IPA 2.2 /
> RHEL 6.3?
>
>
> So what you're looking for is an automatic deployment of known_hosts
> in a centralised way (/etc/ssh) each time a new machine is deployed
> in an IPA domain ?
>
No, I would like not having to update the existing known_hosts when a
host is re-installed.
Rgds,
Siggi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120605/26b070bb/attachment.htm>
More information about the Freeipa-devel
mailing list