[Freeipa-devel] [DESIGN] Sub-CAs; authenticating to Custodia
Christian Heimes
cheimes at redhat.com
Thu Apr 7 10:13:24 UTC 2016
On 2016-04-07 11:09, Petr Spacek wrote:
> On 7.4.2016 08:43, Fraser Tweedale wrote:
>> Hi team,
>>
>> I updated the Sub-CAs design page with more detail for the key
>> replication[1]. This part of the design is nearly complete (a large
>> patchset is in review over at pki-devel@) but there are various
>> options about how to authenticate to Custodia.
>>
>> [1] http://www.freeipa.org/page/V4/Sub-CAs#Key_replication
>>
>> In brief, the options are:
>>
>> 1) authenticate as host principal; install binary setuid
>> root:pkiuser to read host keytab and custodia keys.
>
> Huh, I really do not like this. Host keytab on IPA master is one of the most
> sensitive keys we have.
>
> Maybe gssproxy can be used somehow, but I think it would be better to use
> separate key.
>
>
>> 2) authenticate as host principal; copy host keytab and custodia
>> keys to location readable by pkiuser.
>
> No, really, do not copy host keytab anywhere.
>
>
>> 3) create new principal for pkiuser to use, along with custodia keys
>> and keytab in location readable by pkiuser.
>>
>> I prefer option (1) for reasons outlined in the design page. The
>> design page goes into quite a bit more detail so please review the
>> section linked above and get back to me with your thoughts.
>
> The only downside of (3) using new keys is:
> ... This approach requires the creation of new principals, and Kerberos
> keytabs and Custodia keys for those principals, as part of the
> installation/upgrade process.
>
> Compared with additional SUID binary this seems as safer and easier way to go.
> FreeIPA installers already create quite a lot of principals and keytabs so
> this is well understood task.
>
> I would do (3).
+1 for (3)
A SUID binary feels like a dangerous hack.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160407/b6276f33/attachment.sig>
More information about the Freeipa-devel
mailing list