On 7.4.2016 08:43, Fraser Tweedale wrote:
> Hi team,
> I updated the Sub-CAs design page with more detail for the key
> replication. This part of the design is nearly complete (a large
> patchset is in review over at pki-devel@) but there are various
> options about how to authenticate to Custodia.
>  http://www.freeipa.org/page/V4/Sub-CAs#Key_replication
> In brief, the options are:
> 1) authenticate as host principal; install binary setuid
> root:pkiuser to read host keytab and custodia keys.
Huh, I really do not like this. Host keytab on IPA master is one of the most
sensitive keys we have.
Maybe gssproxy can be used somehow, but I think it would be better to use
> 2) authenticate as host principal; copy host keytab and custodia
> keys to location readable by pkiuser.
No, really, do not copy host keytab anywhere.
> 3) create new principal for pkiuser to use, along with custodia keys
> and keytab in location readable by pkiuser.
> I prefer option (1) for reasons outlined in the design page. The
> design page goes into quite a bit more detail so please review the
> section linked above and get back to me with your thoughts.
The only downside of (3) using new keys is:
... This approach requires the creation of new principals, and Kerberos
keytabs and Custodia keys for those principals, as part of the
Compared with additional SUID binary this seems as safer and easier way to go.
FreeIPA installers already create quite a lot of principals and keytabs so
this is well understood task.
I would do (3).
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code