[Freeipa-devel] [PATCH] Password vault
Martin Kosek
mkosek at redhat.com
Tue Jun 2 15:05:29 UTC 2015
On 06/02/2015 02:07 PM, Endi Sukma Dewata wrote:
> On 6/2/2015 1:10 AM, Martin Kosek wrote:
>> Hi Endi,
>>
>> Quickly skimming through your patches raised couple questions on my side:
>>
>> 1) Will it be possible to also store plain text password via Vault? It
>> talks about taking in the binary data or the text file, but will it also
>> work with plain user secrets (passwords)? I am talking about use like this:
>>
>> # ipa vault-archive <name> --user mkosek --data Secret123
>
> For security the plain text password should be stored in a file first:
>
> # vi password.txt
> # ipa vault-archive <name> --user mkosek --in password.txt
>
> It's also possible to specify the password as base-64 encoded data:
>
> # echo -n Secret123 | base64
> # ipa vault-archive <name> --user mkosek --data U2VjcmV0MTIz
>
> But it's not recommended since the data will be stored in the command history
> and someone could see and decode it. I think passing a plain text password as
> command line argument would be even worse. The --data parameter is mainly used
> for unit testing.
>
> Later we might be able to add an option to read from standard input:
>
> # cat password.txt | ipa vault-archive <name> --user mkosek --std-in
Ok. Well, base64 + file input look as good enough for now. I was mostly
concerned about usability of the solution for normal users as for a manual
secret, it is not convenient to always create an interim file.
We will see based on user experience, maybe Web UI or further CLI-only
additions will be the answer.
>> 2) Didn't we discuss a dependency of IPA/Vault on python-cryptography in
>> the past? I rather see use of python-nss for cryptography...
>
> Yes. I might have mentioned that it would be in the 2nd (current) vault patch.
> Actually it will be in the 3rd patch when we add the symmetric and asymmetric
> vaults. The symmetric and asymmetric encryption will be implemented using
> python-cryptography. You can also see this in an old patch (#358) but it's
> obsolete now.
Ok.
> The standard vault in the current patch uses python-nss for transport
> encryption because when the KRA interface was written python-cryptography
> wasn't available on Fedora, it didn't support certificates, and I'm not sure if
> it supports key wrapping.
>
> The symmetric and asymmetric vaults add an additional layer of encryption on
> top of the standard transport encryption, so it will depend on both python-nss
> and python-cryptography.
>
> In the future if the KRA can support python-cryptography without python-nss we
> may be able to drop the python-nss dependency from vaults.
Ok.
>
>> 3) You do a lot of actions in the forward() method (as planned in
>> https://www.freeipa.org/page/V4/Password_Vault#Archival). But how do you
>> envision that this is consumed by the Web UI? It does not have access to
>> the forward() method. Would it need to also include some crypto library?
>
> If Web UI wants to access vault (not sure if everybody agrees with that), it
> would have to perform an encryption on the browser side. In that case we will
> need to use either WebCrypto or a browser-specific extension to implement
> something similar to vault_archive.forward(), assuming the required
> cryptographic functionalities are available. In the future PKI might be able to
> provide a JavaScript interface for KRA.
Ok, makes sense. I think we will want Web UI at some point, but the summary for
FreeIPA 4.2 seems - no Web UI for Vault (yet).
>> 4) In the vault-archive forward method, you use "pki" module. However,
>> this module will be only available on FreeIPA PKI-powered servers and
>> not on FreeIPA clients - so this will not work unless freeipa-client
>> gets a dependency on pki-base - which is definitely not something we
>> want...
>
> In my opinion it should be fine to require pki-base on the client because it
> contains just the client library, unless you have other concerns? Any
> objections to having pki-nss and pki-cryptography dependencies on the client?
>
> Even if we can change the client code not to depend on "pki" module, since in
> this framework the client and server code are written in the same plugin, the
> "import pki" still cannot be removed since it's still needed by the server
> code, and I don't think conditional import is a good programming practice.
I have major concerns here. Look at the different between installing
"freeipa-client" and "freeipa-client + pki-base" on my F21:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ sudo yum install freeipa-client
...
Install 1 Package (+4 Dependent packages)
Total download size: 2.6 M
Installed size: 14 M
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$ sudo yum install freeipa-client pki-base
...
Install 2 Packages (+288 Dependent packages)
Total download size: 160 M
Installed size: 235 M
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is obviously a no-go for client. The conditional import is smaller concern
that big dependency growth on the client. We do them in trust plugin for
example and it works fine (though I agree it is not ideal programming practice).
IMO, we should limit new freeipa-client dependencies only to
python-cryptography (or also python-nss in the worst case, in case
python-cryptography is not enough) - there should be no pki dependencies at
all, these should be only on the server side.
Thanks,
Martin
More information about the Freeipa-devel
mailing list