[Freeipa-devel] [DESIGN] Sub-CAs; authenticating to Custodia

Thu Apr 7 10:29:00 UTC 2016

On 7.4.2016 12:13, Christian Heimes wrote:
> On 2016-04-07 11:09, Petr Spacek wrote:
>> On 7.4.2016 08:43, Fraser Tweedale wrote:
>>> Hi team,
>>>
>>> I updated the Sub-CAs design page with more detail for the key
>>> replication[1].  This part of the design is nearly complete (a large
>>> patchset is in review over at pki-devel@) but there are various
>>> options about how to authenticate to Custodia.
>>>
>>> [1] http://www.freeipa.org/page/V4/Sub-CAs#Key_replication
>>>
>>> In brief, the options are:
>>>
>>> 1) authenticate as host principal; install binary setuid
>>>     root:pkiuser to read host keytab and custodia keys.
>>
>> Huh, I really do not like this. Host keytab on IPA master is one of the most
>> sensitive keys we have.
>>
>> Maybe gssproxy can be used somehow, but I think it would be better to use
>> separate key.
>>
>>
>>> 2) authenticate as host principal; copy host keytab and custodia
>>>     keys to location readable by pkiuser.
>>
>> No, really, do not copy host keytab anywhere.
>>
>>
>>> 3) create new principal for pkiuser to use, along with custodia keys
>>>     and keytab in location readable by pkiuser.
>>>
>>> I prefer option (1) for reasons outlined in the design page.  The
>>> design page goes into quite a bit more detail so please review the
>>> section linked above and get back to me with your thoughts.
>>
>> The only downside of (3) using new keys is:
>> ... This approach requires the creation of new principals, and Kerberos
>> keytabs and Custodia keys for those principals, as part of the
>> installation/upgrade process.
>>
>> Compared with additional SUID binary this seems as safer and easier way to go.
>> FreeIPA installers already create quite a lot of principals and keytabs so
>> this is well understood task.
>>
>> I would do (3).
>
> +1 for (3)
>
> A SUID binary feels like a dangerous hack.

+1

-- 
Jan Cholasta