On Jun 1, 2012, at 6:35 AM, "Stephen Gallagher" <sgall...@redhat.com> wrote:
> On Fri, 2012-06-01 at 09:24 -0400, Simo Sorce wrote: >> This is about Ticket 1978 (originally rhbz746036). >> >> This RFE asks for storing private SSH Host Keys in FreeIPA. >> >> We have been triaging this ticket today, and I have to admit I am biased >> toward simply closing down the ticket. >> >> However we want to reach out community and interested parties that >> opened the tick to understand if there are reasons strong enough to >> consider implementing it. >> >> The reason I am against this is that in FreeIPA we already provide >> public Key integration. This means that when the host is re-installed >> new keys are loaded in IPA and clients do not get the obnoxious warning >> message that keys have changed, because enrolled clients (with the >> appropriate integration bits) trust FreeIPA so they do not need to ask >> the user to confirm on a key change. >> >> Storing Private Keys poses various liability issues, in order to be able >> to restore keys you need to give access to those keys to an admin, as >> there is no other way to authenticate just the host itself (it was just >> blown away and reinstalled). >> This means any admin account that can perform reinstalls need to have >> access to *read* private keys out of LDAP, which means that >> A) The central tenet of Asymetric authentication is that private keys >> are 'private'. >> B) keys are readable from LDAP to some accounts, any slight error in >> ACIs would risk exposing all private keys. >> C) most probably low level (junior admin) accounts will have read access >> to pretty much all private keys, because those admins are the one tasked >> with re-installs. However those admins are also the ones less trusted, >> yet by giving them access to private keys they are enabled to perform >> MITM attacks against pretty much any of the machines managed by FreeIPA. >> >> For these reasons I am against storing SSH Private Keys. I would like to >> know what are the reasons to instead implement this feature and the >> security considerations around those reasons. >>> From my point of view the balance between feature vs security issues >> trips in disfavor of implementing the feature but I am willing to be >> convinced otherwise if there are good reasons to, and security issues >> can be properly addressed with some clever scheme. > > > For the record, I am also in favor of just closing the ticket. It's much > safer and wiser to require re-provisioning of the public key in the > FreeIPA server than it is to try storing the private key. I suspect that > when we had the original conversation on IRC, it was before we had > decided that FreeIPA would be managing public keys. I am firmly against > ever storing host private keys in a central location. +1 I am also for the public and against the private. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel