2012/6/5 Sigbjorn Lie <sigbj...@nixtra.com> > > > On Fri, June 1, 2012 15:24, Simo Sorce wrote: > > This is about Ticket 1978 (originally rhbz746036). > > > > > > This RFE asks for storing private SSH Host Keys in FreeIPA. > > > > > > We have been triaging this ticket today, and I have to admit I am biased > > toward simply closing down the ticket. > > > > However we want to reach out community and interested parties that > > opened the tick to understand if there are reasons strong enough to > consider implementing it. > > > > The reason I am against this is that in FreeIPA we already provide > > public Key integration. This means that when the host is re-installed > new keys are loaded in IPA > > and clients do not get the obnoxious warning message that keys have > changed, because enrolled > > clients (with the appropriate integration bits) trust FreeIPA so they do > not need to ask the user > > to confirm on a key change. > > > > Storing Private Keys poses various liability issues, in order to be able > > to restore keys you need to give access to those keys to an admin, as > there is no other way to > > authenticate just the host itself (it was just blown away and > reinstalled). This means any admin > > account that can perform reinstalls need to have access to *read* > private keys out of LDAP, which > > means that A) The central tenet of Asymetric authentication is that > private keys > > are 'private'. B) keys are readable from LDAP to some accounts, any > slight error in > > ACIs would risk exposing all private keys. > > C) most probably low level (junior admin) accounts will have read access > > to pretty much all private keys, because those admins are the one tasked > with re-installs. However > > those admins are also the ones less trusted, yet by giving them access > to private keys they are > > enabled to perform MITM attacks against pretty much any of the machines > managed by FreeIPA. > > > > > > For these reasons I am against storing SSH Private Keys. I would like to > > know what are the reasons to instead implement this feature and the > security considerations around > > those reasons. > >> From my point of view the balance between feature vs security issues > >> > > trips in disfavor of implementing the feature but I am willing to be > convinced otherwise if there > > are good reasons to, and security issues can be properly addressed with > some clever scheme. > > > > > I think there has been some confusion here. What I was looking for was a > way to prevent the users > from receiving a message when ssh'ing into a host that's been reinstalled, > that the host's key has > changed. > > I believe will become availabe in the future version IPA 2.2 / RHEL 6.3? >
So what you're looking for is an automatic deployment of known_hosts in a centralised way (/etc/ssh) each time a new machine is deployed in an IPA domain ? Regards, J. -- Jérôme Fenal - jfenal AT gmail.com - http://fenal.org/ Paris.pm - http://paris.mongueurs.net/
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel