On 06/05/2012 04:38 PM, Jérôme Fenal wrote:
2012/6/5 Sigbjorn Lie <sigbj...@nixtra.com <mailto:sigbj...@nixtra.com>>

    On Fri, June 1, 2012 15:24, Simo Sorce wrote:
    > This is about Ticket 1978 (originally rhbz746036).
    > This RFE asks for storing private SSH Host Keys in FreeIPA.
    > We have been triaging this ticket today, and I have to admit I
    am biased
    > toward simply closing down the ticket.
    > However we want to reach out community and interested parties that
    > opened the tick to understand if there are reasons strong enough
    to consider implementing it.
    > The reason I am against this is that in FreeIPA we already provide
    > public Key integration. This means that when the host is
    re-installed new keys are loaded in IPA
    > and clients do not get the obnoxious warning message that keys
    have changed, because enrolled
    > clients (with the appropriate integration bits) trust FreeIPA so
    they do not need to ask the user
    > to confirm on a key change.
    > Storing Private Keys poses various liability issues, in order to
    be able
    > to restore keys you need to give access to those keys to an
    admin, as there is no other way to
    > authenticate just the host itself (it was just blown away and
    reinstalled). This means any admin
    > account that can perform reinstalls need to have access to
    *read* private keys out of LDAP, which
    > means that A) The central tenet of Asymetric authentication is
    that private keys
    > are 'private'. B) keys are readable from LDAP to some accounts,
    any slight error in
    > ACIs would risk exposing all private keys.
    > C) most probably low level (junior admin) accounts will have
    read access
    > to pretty much all private keys, because those admins are the
    one tasked with re-installs. However
    > those admins are also the ones less trusted, yet by giving them
    access to private keys they are
    > enabled to perform MITM attacks against pretty much any of the
    machines managed by FreeIPA.
    > For these reasons I am against storing SSH Private Keys. I would
    like to
    > know what are the reasons to instead implement this feature and
    the security considerations around
    > those reasons.
    >> From my point of view the balance between feature vs security
    > trips in disfavor of implementing the feature but I am willing
    to be convinced otherwise if there
    > are good reasons to, and security issues can be properly
    addressed with some clever scheme.

    I think there has been some confusion here. What I was looking for
    was a way to prevent the users
    from receiving a message when ssh'ing into a host that's been
    reinstalled, that the host's key has

    I believe will become availabe in the future version IPA 2.2 /
    RHEL 6.3?

So what you're looking for is an automatic deployment of known_hosts in a centralised way (/etc/ssh) each time a new machine is deployed in an IPA domain ?

No, I would like not having to update the existing known_hosts when a host is re-installed.


Freeipa-devel mailing list

Reply via email to