[Freeipa-users] Use of FreeIPA or FreeIPA LDAP server to hold private keys
Ian Stokes-Rees
ijstokes at hkl.hms.harvard.edu
Wed Aug 3 16:21:38 UTC 2011
On Wed Aug 3 10:37:45 2011, Stephen Gallagher wrote:
> As a general rule, I would think that having your private key stored
> somewhere that an admin other than yourself can reset the password and
> have access to would be really dangerous. Most especially if this
> private key was being used to access sites in other administrative
> domains.
>
> That really sounds like an accident waiting to happen...
If you are concerned about that, then don't make use of a centralized
keystore.
You may be a security expert and have a deeper understanding of this
than I do, but from my limited experience and knowledge of security
audits and risk assessment, if you don't trust your system
administrators then you have a whole heap of other issues you need to
contend with.
Consider that the FreeIPA server is probably *more* secure than the
user-accessible systems and file servers. If someone with
administrative (root) privs for the part of the system where I store my
passphrase encrypted private key would be the kind of person who would
take the private key from a central keystore, if it existed, then do
you not think they could get my passphrase and/or cleartext private key
from the system *without* a central keystore?
This is not to say there aren't arguments against it: a policy mix up
or a bug in the central keystore could lead to *all* users having their
private keys compromised, and an admin who can dip in and grab private
keys without any evidence would also be bad, but hopefully the "Audit"
part of IPA means that any access to private keys will be securely
logged, and flagged if they are by users other than the "owner" of the
private key.
This is a topic that is very important to me, so I'm quite interested
to hear how my reasoning may be flawed, or to hear opinions from others.
Regards,
Ian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ijstokes.vcf
Type: text/x-vcard
Size: 394 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110803/0f90f09b/attachment.vcf>
More information about the Freeipa-users
mailing list