On 2016-04-07 11:09, Petr Spacek wrote: > On 7.4.2016 08:43, Fraser Tweedale wrote: >> Hi team, >> >> I updated the Sub-CAs design page with more detail for the key >> replication. This part of the design is nearly complete (a large >> patchset is in review over at pki-devel@) but there are various >> options about how to authenticate to Custodia. >> >>  http://www.freeipa.org/page/V4/Sub-CAs#Key_replication >> >> In brief, the options are: >> >> 1) authenticate as host principal; install binary setuid >> root:pkiuser to read host keytab and custodia keys. > > Huh, I really do not like this. Host keytab on IPA master is one of the most > sensitive keys we have. > > Maybe gssproxy can be used somehow, but I think it would be better to use > separate key. > > >> 2) authenticate as host principal; copy host keytab and custodia >> keys to location readable by pkiuser. > > No, really, do not copy host keytab anywhere. > > >> 3) create new principal for pkiuser to use, along with custodia keys >> and keytab in location readable by pkiuser. >> >> I prefer option (1) for reasons outlined in the design page. The >> design page goes into quite a bit more detail so please review the >> section linked above and get back to me with your thoughts. > > The only downside of (3) using new keys is: > ... This approach requires the creation of new principals, and Kerberos > keytabs and Custodia keys for those principals, as part of the > installation/upgrade process. > > Compared with additional SUID binary this seems as safer and easier way to go. > FreeIPA installers already create quite a lot of principals and keytabs so > this is well understood task. > > I would do (3).
+1 for (3) A SUID binary feels like a dangerous hack. Christian
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code