[Freeipa-devel] [PATCH] Password vault

Simo Sorce simo at redhat.com
Tue Jun 2 18:40:58 UTC 2015 

On Tue, 2015-06-02 at 07:07 -0500, Endi Sukma Dewata wrote:
> On 6/2/2015 1:10 AM, Martin Kosek wrote:
> > Hi Endi,
> >
> > Quickly skimming through your patches raised couple questions on my side:
> >
> > 1) Will it be possible to also store plain text password via Vault? It
> > talks about taking in the binary data or the text file, but will it also
> > work with plain user secrets (passwords)? I am talking about use like this:
> >
> > # ipa vault-archive <name> --user mkosek --data Secret123
> 
> For security the plain text password should be stored in a file first:
> 
>    # vi password.txt
>    # ipa vault-archive <name> --user mkosek --in password.txt
> 
> It's also possible to specify the password as base-64 encoded data:
> 
>    # echo -n Secret123 | base64
>    # ipa vault-archive <name> --user mkosek --data U2VjcmV0MTIz
> 
> But it's not recommended since the data will be stored in the command 
> history and someone could see and decode it. I think passing a plain 
> text password as command line argument would be even worse. The --data 
> parameter is mainly used for unit testing.
> 
> Later we might be able to add an option to read from standard input:
> 
>    # cat password.txt | ipa vault-archive <name> --user mkosek --std-in

Yes please, a way to pass in via stdin is extremely useful, as leaving
files on the filesystem is also a big risk.

> > 2) Didn't we discuss a dependency of IPA/Vault on python-cryptography in
> > the past? I rather see use of python-nss for cryptography...
> 
> Yes. I might have mentioned that it would be in the 2nd (current) vault 
> patch. Actually it will be in the 3rd patch when we add the symmetric 
> and asymmetric vaults. The symmetric and asymmetric encryption will be 
> implemented using python-cryptography. You can also see this in an old 
> patch (#358) but it's obsolete now.
> 
> The standard vault in the current patch uses python-nss for transport 
> encryption because when the KRA interface was written 
> python-cryptography wasn't available on Fedora, it didn't support 
> certificates, and I'm not sure if it supports key wrapping.

It depends on the key wrapping, I have coded in python (jwcrypto)
support for some key wrapping not yet available in python-cryptography
and can lend you the code as needed.

> The symmetric and asymmetric vaults add an additional layer of 
> encryption on top of the standard transport encryption, so it will 
> depend on both python-nss and python-cryptography.
> 
> In the future if the KRA can support python-cryptography without 
> python-nss we may be able to drop the python-nss dependency from vaults.
> 
> > 3) You do a lot of actions in the forward() method (as planned in
> > https://www.freeipa.org/page/V4/Password_Vault#Archival). But how do you
> > envision that this is consumed by the Web UI? It does not have access to
> > the forward() method. Would it need to also include some crypto library?
> 
> If Web UI wants to access vault (not sure if everybody agrees with 
> that), it would have to perform an encryption on the browser side. In 
> that case we will need to use either WebCrypto or a browser-specific 
> extension to implement something similar to vault_archive.forward(), 
> assuming the required cryptographic functionalities are available. In 
> the future PKI might be able to provide a JavaScript interface for KRA.

I so much want to NACK crypto in web browsers ... but we may have to do
it, it stinks soo much though ... Perhaps a plugin ?

> > 4) In the vault-archive forward method, you use "pki" module. However,
> > this module will be only available on FreeIPA PKI-powered servers and
> > not on FreeIPA clients - so this will not work unless freeipa-client
> > gets a dependency on pki-base - which is definitely not something we
> > want...
> 
> In my opinion it should be fine to require pki-base on the client 

NACK look at the dependency chain for that packages.

> because it contains just the client library, unless you have other 
> concerns? Any objections to having pki-nss and pki-cryptography 
> dependencies on the client?

you mean python-nss/python-cryptography ? I see no problem having them
as dependencies on the client.

> Even if we can change the client code not to depend on "pki" module, 
> since in this framework the client and server code are written in the 
> same plugin, the "import pki" still cannot be removed since it's still 
> needed by the server code, and I don't think conditional import is a 
> good programming practice.

conditional import is just fine

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list