On 06/05/2012 04:38 PM, Jérôme Fenal wrote:
2012/6/5 Sigbjorn Lie <sigbj...@nixtra.com <mailto:sigbj...@nixtra.com>>
On Fri, June 1, 2012 15:24, Simo Sorce wrote:
> This is about Ticket 1978 (originally rhbz746036).
> This RFE asks for storing private SSH Host Keys in FreeIPA.
> We have been triaging this ticket today, and I have to admit I
> toward simply closing down the ticket.
> However we want to reach out community and interested parties that
> opened the tick to understand if there are reasons strong enough
to consider implementing it.
> The reason I am against this is that in FreeIPA we already provide
> public Key integration. This means that when the host is
re-installed new keys are loaded in IPA
> and clients do not get the obnoxious warning message that keys
have changed, because enrolled
> clients (with the appropriate integration bits) trust FreeIPA so
they do not need to ask the user
> to confirm on a key change.
> Storing Private Keys poses various liability issues, in order to
> to restore keys you need to give access to those keys to an
admin, as there is no other way to
> authenticate just the host itself (it was just blown away and
reinstalled). This means any admin
> account that can perform reinstalls need to have access to
*read* private keys out of LDAP, which
> means that A) The central tenet of Asymetric authentication is
that private keys
> are 'private'. B) keys are readable from LDAP to some accounts,
any slight error in
> ACIs would risk exposing all private keys.
> C) most probably low level (junior admin) accounts will have
> to pretty much all private keys, because those admins are the
one tasked with re-installs. However
> those admins are also the ones less trusted, yet by giving them
access to private keys they are
> enabled to perform MITM attacks against pretty much any of the
machines managed by FreeIPA.
> For these reasons I am against storing SSH Private Keys. I would
> know what are the reasons to instead implement this feature and
the security considerations around
> those reasons.
>> From my point of view the balance between feature vs security
> trips in disfavor of implementing the feature but I am willing
to be convinced otherwise if there
> are good reasons to, and security issues can be properly
addressed with some clever scheme.
I think there has been some confusion here. What I was looking for
was a way to prevent the users
from receiving a message when ssh'ing into a host that's been
reinstalled, that the host's key has
I believe will become availabe in the future version IPA 2.2 /
So what you're looking for is an automatic deployment of known_hosts
in a centralised way (/etc/ssh) each time a new machine is deployed
in an IPA domain ?
No, I would like not having to update the existing known_hosts when a
host is re-installed.
Freeipa-devel mailing list