On 7.4.2016 08:43, Fraser Tweedale wrote: > Hi team, > > I updated the Sub-CAs design page with more detail for the key > replication[1]. This part of the design is nearly complete (a large > patchset is in review over at pki-devel@) but there are various > options about how to authenticate to Custodia. > > [1] http://www.freeipa.org/page/V4/Sub-CAs#Key_replication > > In brief, the options are: > > 1) authenticate as host principal; install binary setuid > root:pkiuser to read host keytab and custodia keys.
Huh, I really do not like this. Host keytab on IPA master is one of the most sensitive keys we have. Maybe gssproxy can be used somehow, but I think it would be better to use separate key. > 2) authenticate as host principal; copy host keytab and custodia > keys to location readable by pkiuser. No, really, do not copy host keytab anywhere. > 3) create new principal for pkiuser to use, along with custodia keys > and keytab in location readable by pkiuser. > > I prefer option (1) for reasons outlined in the design page. The > design page goes into quite a bit more detail so please review the > section linked above and get back to me with your thoughts. The only downside of (3) using new keys is: ... This approach requires the creation of new principals, and Kerberos keytabs and Custodia keys for those principals, as part of the installation/upgrade process. Compared with additional SUID binary this seems as safer and easier way to go. FreeIPA installers already create quite a lot of principals and keytabs so this is well understood task. I would do (3). -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
