On 7.4.2016 08:43, Fraser Tweedale wrote:
> Hi team,
> I updated the Sub-CAs design page with more detail for the key
> replication[1].  This part of the design is nearly complete (a large
> patchset is in review over at pki-devel@) but there are various
> options about how to authenticate to Custodia.
> [1] http://www.freeipa.org/page/V4/Sub-CAs#Key_replication
> In brief, the options are:
> 1) authenticate as host principal; install binary setuid
>    root:pkiuser to read host keytab and custodia keys.

Huh, I really do not like this. Host keytab on IPA master is one of the most
sensitive keys we have.

Maybe gssproxy can be used somehow, but I think it would be better to use
separate key.

> 2) authenticate as host principal; copy host keytab and custodia
>    keys to location readable by pkiuser.

No, really, do not copy host keytab anywhere.

> 3) create new principal for pkiuser to use, along with custodia keys
>    and keytab in location readable by pkiuser.
> I prefer option (1) for reasons outlined in the design page.  The
> design page goes into quite a bit more detail so please review the
> section linked above and get back to me with your thoughts.

The only downside of (3) using new keys is:
... This approach requires the creation of new principals, and Kerberos
keytabs and Custodia keys for those principals, as part of the
installation/upgrade process.

Compared with additional SUID binary this seems as safer and easier way to go.
FreeIPA installers already create quite a lot of principals and keytabs so
this is well understood task.

I would do (3).

Petr^2 Spacek

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to