[Freeipa-devel] About private ssh host keys in IPA

Sigbjorn Lie sigbjorn at nixtra.com
Tue Jun 5 21:02:50 UTC 2012 

On 06/05/2012 04:38 PM, Jérôme Fenal wrote:
> 2012/6/5 Sigbjorn Lie <sigbjorn at nixtra.com <mailto:sigbjorn at nixtra.com>>
>
>
>
>     On Fri, June 1, 2012 15:24, Simo Sorce wrote:
>     > This is about Ticket 1978 (originally rhbz746036).
>     >
>     >
>     > This RFE asks for storing private SSH Host Keys in FreeIPA.
>     >
>     >
>     > We have been triaging this ticket today, and I have to admit I
>     am biased
>     > toward simply closing down the ticket.
>     >
>     > However we want to reach out community and interested parties that
>     > opened the tick to understand if there are reasons strong enough
>     to consider implementing it.
>     >
>     > The reason I am against this is that in FreeIPA we already provide
>     > public Key integration. This means that when the host is
>     re-installed new keys are loaded in IPA
>     > and clients do not get the obnoxious warning message that keys
>     have changed, because enrolled
>     > clients (with the appropriate integration bits) trust FreeIPA so
>     they do not need to ask the user
>     > to confirm on a key change.
>     >
>     > Storing Private Keys poses various liability issues, in order to
>     be able
>     > to restore keys you need to give access to those keys to an
>     admin, as there is no other way to
>     > authenticate just the host itself (it was just blown away and
>     reinstalled). This means any admin
>     > account that can perform reinstalls need to have access to
>     *read* private keys out of LDAP, which
>     > means that A) The central tenet of Asymetric authentication is
>     that private keys
>     > are 'private'. B) keys are readable from LDAP to some accounts,
>     any slight error in
>     > ACIs would risk exposing all private keys.
>     > C) most probably low level (junior admin) accounts will have
>     read access
>     > to pretty much all private keys, because those admins are the
>     one tasked with re-installs. However
>     > those admins are also the ones less trusted, yet by giving them
>     access to private keys they are
>     > enabled to perform MITM attacks against pretty much any of the
>     machines managed by FreeIPA.
>     >
>     >
>     > For these reasons I am against storing SSH Private Keys. I would
>     like to
>     > know what are the reasons to instead implement this feature and
>     the security considerations around
>     > those reasons.
>     >> From my point of view the balance between feature vs security
>     issues
>     >>
>     > trips in disfavor of implementing the feature but I am willing
>     to be convinced otherwise if there
>     > are good reasons to, and security issues can be properly
>     addressed with some clever scheme.
>     >
>
>
>     I think there has been some confusion here. What I was looking for
>     was a way to prevent the users
>     from receiving a message when ssh'ing into a host that's been
>     reinstalled, that the host's key has
>     changed.
>
>     I believe will become availabe in the future version IPA 2.2 /
>     RHEL 6.3?
>
>
> So what you're looking for is an automatic deployment of known_hosts 
> in a centralised way (/etc/ssh) each time a new machine is deployed  
> in an IPA domain ?
>

No, I would like not having to update the existing known_hosts when a 
host is re-installed.


Rgds,
Siggi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120605/26b070bb/attachment.htm>

More information about the Freeipa-devel mailing list