2012/6/5 Sigbjorn Lie <<a href="mailto:sigbjorn@nixtra.com" target="_blank">sigbjorn@nixtra.com</a>> <div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div class="HOEnZb"><div class="h5"> On Fri, June 1, 2012 15:24, Simo Sorce wrote: > This is about Ticket 1978 (originally rhbz746036). > > > This RFE asks for storing private SSH Host Keys in FreeIPA. > > > We have been triaging this ticket today, and I have to admit I am biased > toward simply closing down the ticket. > > However we want to reach out community and interested parties that > opened the tick to understand if there are reasons strong enough to consider implementing it. > > The reason I am against this is that in FreeIPA we already provide > public Key integration. This means that when the host is re-installed new keys are loaded in IPA > and clients do not get the obnoxious warning message that keys have changed, because enrolled > clients (with the appropriate integration bits) trust FreeIPA so they do not need to ask the user > to confirm on a key change. > > Storing Private Keys poses various liability issues, in order to be able > to restore keys you need to give access to those keys to an admin, as there is no other way to > authenticate just the host itself (it was just blown away and reinstalled). This means any admin > account that can perform reinstalls need to have access to *read* private keys out of LDAP, which > means that A) The central tenet of Asymetric authentication is that private keys > are 'private'. B) keys are readable from LDAP to some accounts, any slight error in > ACIs would risk exposing all private keys. > C) most probably low level (junior admin) accounts will have read access > to pretty much all private keys, because those admins are the one tasked with re-installs. However > those admins are also the ones less trusted, yet by giving them access to private keys they are > enabled to perform MITM attacks against pretty much any of the machines managed by FreeIPA. > > > For these reasons I am against storing SSH Private Keys. I would like to > know what are the reasons to instead implement this feature and the security considerations around > those reasons. >> From my point of view the balance between feature vs security issues >> > trips in disfavor of implementing the feature but I am willing to be convinced otherwise if there > are good reasons to, and security issues can be properly addressed with some clever scheme. > </div></div>I think there has been some confusion here. What I was looking for was a way to prevent the users from receiving a message when ssh'ing into a host that's been reinstalled, that the host's key has changed. I believe will become availabe in the future version IPA 2.2 / RHEL 6.3? </blockquote><div> So what you're looking for is an automatic deployment of known_hosts in a centralised way (/etc/ssh) each time a new machine is deployed in an IPA domain ? </div></div> Regards, J. -- Jérôme Fenal - jfenal AT <a href="http://gmail.com" target="_blank">gmail.com</a> - <a href="http://fenal.org/" target="_blank">http://fenal.org/</a> Paris.pm - <a href="http://paris.mongueurs.net/" target="_blank">http://paris.mongueurs.net/</a>