2012/6/1 JR Aquino <<a href="mailto:JR.Aquino@citrix.com" target="_blank">JR.Aquino@citrix.com</a>> <div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div class="HOEnZb"><div class="h5"> On Jun 1, 2012, at 6:35 AM, "Stephen Gallagher" <<a href="mailto:sgallagh@redhat.com">sgallagh@redhat.com</a>> wrote: > On Fri, 2012-06-01 at 09:24 -0400, Simo Sorce wrote: >> This is about Ticket 1978 (originally rhbz746036). >> >> This RFE asks for storing private SSH Host Keys in FreeIPA. >> >> We have been triaging this ticket today, and I have to admit I am biased >> toward simply closing down the ticket. >> >> However we want to reach out community and interested parties that >> opened the tick to understand if there are reasons strong enough to >> consider implementing it. >> >> The reason I am against this is that in FreeIPA we already provide >> public Key integration. This means that when the host is re-installed >> new keys are loaded in IPA and clients do not get the obnoxious warning >> message that keys have changed, because enrolled clients (with the >> appropriate integration bits) trust FreeIPA so they do not need to ask >> the user to confirm on a key change. >> >> Storing Private Keys poses various liability issues, in order to be able >> to restore keys you need to give access to those keys to an admin, as >> there is no other way to authenticate just the host itself (it was just >> blown away and reinstalled). >> This means any admin account that can perform reinstalls need to have >> access to *read* private keys out of LDAP, which means that >> A) The central tenet of Asymetric authentication is that private keys >> are 'private'. >> B) keys are readable from LDAP to some accounts, any slight error in >> ACIs would risk exposing all private keys. >> C) most probably low level (junior admin) accounts will have read access >> to pretty much all private keys, because those admins are the one tasked >> with re-installs. However those admins are also the ones less trusted, >> yet by giving them access to private keys they are enabled to perform >> MITM attacks against pretty much any of the machines managed by FreeIPA. >> >> For these reasons I am against storing SSH Private Keys. I would like to >> know what are the reasons to instead implement this feature and the >> security considerations around those reasons. >>> From my point of view the balance between feature vs security issues >> trips in disfavor of implementing the feature but I am willing to be >> convinced otherwise if there are good reasons to, and security issues >> can be properly addressed with some clever scheme. > > > For the record, I am also in favor of just closing the ticket. It's much > safer and wiser to require re-provisioning of the public key in the > FreeIPA server than it is to try storing the private key. I suspect that > when we had the original conversation on IRC, it was before we had > decided that FreeIPA would be managing public keys. I am firmly against > ever storing host private keys in a central location. </div></div>+1 I am also for the public and against the private. </blockquote><div> +1 </div></div> -- Jérôme Fenal - jfenal AT <a href="http://gmail.com" target="_blank">gmail.com</a> - <a href="http://fenal.org/" target="_blank">http://fenal.org/</a> Paris.pm - <a href="http://paris.mongueurs.net/" target="_blank">http://paris.mongueurs.net/</a>