Dne 13.2.2013 20:10, Simo Sorce napsal(a):
On Wed, 2013-02-13 at 19:34 +0100, Ondrej Hamada wrote:
Dne 13.2.2013 14:36, Simo Sorce napsal(a):
On Tue, 2013-02-12 at 19:30 -0500, Dmitri Pal wrote:

It looks like thinks are starting to boil down to building a Kerberos proxy.
Is this something that fits within your thesis agenda Ondra?
I guess that's for Ondrej to say, if it is too much we can simply start
working on the LDAP/replication side with rekeying and what not, and
deal with the KDC part at a later time.


Working on the LDAP/repl side fits the thesis agenda better, so I would
like to go that way.

Rekeying - do you mean some sort of plugin for transporting the krb keys
from masters to consumers?

Besides securing transport of keys what else should be done in ldap?
I've only partial replication in my mind - I mean replication of entries
selected by some kind of ldap filters.
We would need to re-encrypt keys so that we do not need to hand off to
remote KDCs the same master key.
This way a compromise in a branch office replica would not compromise
the central infrastructure, but only affect the remote branch.


Just a small summary from IRC chat:
Master servers must posses all RO replicas master keys in order to able to re-encrypt the keys. Probably replica long-term key (or any other key known only to replica) could be used.

If the hubs are used, then they must also posses the RO replicas keys. Under such circumstances the compromised hub is almost the same threat as compromised master. Additionally the hub does not bring much functionality we can not supply by master server. So it seems as a better idea to don't create special hub replicas and use the master server instead (just don't expose it to clients).

As a next step I'm going to look at the ipa password plugin for dirsrv - do you think it is a good source of inspiration for the rekeying plugin?

Freeipa-devel mailing list

Reply via email to