[Freeipa-devel] [DESIGN] Sub-CAs; authenticating to Custodia
Petr Spacek
pspacek at redhat.com
Thu Apr 7 09:09:50 UTC 2016
On 7.4.2016 08:43, Fraser Tweedale wrote:
> Hi team,
>
> I updated the Sub-CAs design page with more detail for the key
> replication[1]. This part of the design is nearly complete (a large
> patchset is in review over at pki-devel@) but there are various
> options about how to authenticate to Custodia.
>
> [1] http://www.freeipa.org/page/V4/Sub-CAs#Key_replication
>
> In brief, the options are:
>
> 1) authenticate as host principal; install binary setuid
> root:pkiuser to read host keytab and custodia keys.
Huh, I really do not like this. Host keytab on IPA master is one of the most
sensitive keys we have.
Maybe gssproxy can be used somehow, but I think it would be better to use
separate key.
> 2) authenticate as host principal; copy host keytab and custodia
> keys to location readable by pkiuser.
No, really, do not copy host keytab anywhere.
> 3) create new principal for pkiuser to use, along with custodia keys
> and keytab in location readable by pkiuser.
>
> I prefer option (1) for reasons outlined in the design page. The
> design page goes into quite a bit more detail so please review the
> section linked above and get back to me with your thoughts.
The only downside of (3) using new keys is:
... This approach requires the creation of new principals, and Kerberos
keytabs and Custodia keys for those principals, as part of the
installation/upgrade process.
Compared with additional SUID binary this seems as safer and easier way to go.
FreeIPA installers already create quite a lot of principals and keytabs so
this is well understood task.
I would do (3).
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list