On Fri, 2014-05-23 at 22:50 -0400, Simo Sorce wrote: > No, but those need to be accessible to the user, I think you can > create > a meta-package that contains those password when you create the first > master, encrypted in a gpg file with private keys only stored in the > freeipa servers. I do something similar for the admin. https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw I'll blog (as docs) about the details shortly.
> > Then you can move them around w/o puppet knowing what they contain, > although puppet will have to transfer at least public keys around. Are you okay with each individual ipa server having a different pub/private keypair, and a gpg encrypted file being passed around containing the cleartext dm_password ? The private key on each host wouldn't be able to have a password, _and_ ultimately someone with root could get the cleartext password, where as the current status quo probably hashes it. So I would see this as less secure. > > Simo.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
