[Freeipa-devel] About private ssh host keys in IPA
Dmitri Pal
dpal at redhat.com
Wed Jun 6 02:23:07 UTC 2012
On 06/05/2012 05:02 PM, Sigbjorn Lie wrote:
> On 06/05/2012 04:38 PM, Jérôme Fenal wrote:
>> 2012/6/5 Sigbjorn Lie <sigbjorn at nixtra.com <mailto:sigbjorn at nixtra.com>>
>>
>>
>>
>> On Fri, June 1, 2012 15:24, Simo Sorce wrote:
>> > This is about Ticket 1978 (originally rhbz746036).
>> >
>> >
>> > This RFE asks for storing private SSH Host Keys in FreeIPA.
>> >
>> >
>> > We have been triaging this ticket today, and I have to admit I
>> am biased
>> > toward simply closing down the ticket.
>> >
>> > However we want to reach out community and interested parties that
>> > opened the tick to understand if there are reasons strong
>> enough to consider implementing it.
>> >
>> > The reason I am against this is that in FreeIPA we already provide
>> > public Key integration. This means that when the host is
>> re-installed new keys are loaded in IPA
>> > and clients do not get the obnoxious warning message that keys
>> have changed, because enrolled
>> > clients (with the appropriate integration bits) trust FreeIPA
>> so they do not need to ask the user
>> > to confirm on a key change.
>> >
>> > Storing Private Keys poses various liability issues, in order
>> to be able
>> > to restore keys you need to give access to those keys to an
>> admin, as there is no other way to
>> > authenticate just the host itself (it was just blown away and
>> reinstalled). This means any admin
>> > account that can perform reinstalls need to have access to
>> *read* private keys out of LDAP, which
>> > means that A) The central tenet of Asymetric authentication is
>> that private keys
>> > are 'private'. B) keys are readable from LDAP to some accounts,
>> any slight error in
>> > ACIs would risk exposing all private keys.
>> > C) most probably low level (junior admin) accounts will have
>> read access
>> > to pretty much all private keys, because those admins are the
>> one tasked with re-installs. However
>> > those admins are also the ones less trusted, yet by giving them
>> access to private keys they are
>> > enabled to perform MITM attacks against pretty much any of the
>> machines managed by FreeIPA.
>> >
>> >
>> > For these reasons I am against storing SSH Private Keys. I
>> would like to
>> > know what are the reasons to instead implement this feature and
>> the security considerations around
>> > those reasons.
>> >> From my point of view the balance between feature vs security
>> issues
>> >>
>> > trips in disfavor of implementing the feature but I am willing
>> to be convinced otherwise if there
>> > are good reasons to, and security issues can be properly
>> addressed with some clever scheme.
>> >
>>
>>
>> I think there has been some confusion here. What I was looking
>> for was a way to prevent the users
>> from receiving a message when ssh'ing into a host that's been
>> reinstalled, that the host's key has
>> changed.
>>
>> I believe will become availabe in the future version IPA 2.2 /
>> RHEL 6.3?
>>
>>
>> So what you're looking for is an automatic deployment of known_hosts
>> in a centralised way (/etc/ssh) each time a new machine is deployed
>> in an IPA domain ?
>>
>
> No, I would like not having to update the existing known_hosts when a
> host is re-installed.
>
But the ssh feature of IPA and SSSD will automatically maintain
known_hosts for you so it looks like the problem will be solved with
what we have in 2.2 have you given it a try?
>
> Rgds,
> Siggi
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120605/044412f7/attachment.htm>
More information about the Freeipa-devel
mailing list