On 2016-04-07 11:09, Petr Spacek wrote:
> On 7.4.2016 08:43, Fraser Tweedale wrote:
>> Hi team,
>> I updated the Sub-CAs design page with more detail for the key
>> replication[1].  This part of the design is nearly complete (a large
>> patchset is in review over at pki-devel@) but there are various
>> options about how to authenticate to Custodia.
>> [1] http://www.freeipa.org/page/V4/Sub-CAs#Key_replication
>> In brief, the options are:
>> 1) authenticate as host principal; install binary setuid
>>    root:pkiuser to read host keytab and custodia keys.
> Huh, I really do not like this. Host keytab on IPA master is one of the most
> sensitive keys we have.
> Maybe gssproxy can be used somehow, but I think it would be better to use
> separate key.
>> 2) authenticate as host principal; copy host keytab and custodia
>>    keys to location readable by pkiuser.
> No, really, do not copy host keytab anywhere.
>> 3) create new principal for pkiuser to use, along with custodia keys
>>    and keytab in location readable by pkiuser.
>> I prefer option (1) for reasons outlined in the design page.  The
>> design page goes into quite a bit more detail so please review the
>> section linked above and get back to me with your thoughts.
> The only downside of (3) using new keys is:
> ... This approach requires the creation of new principals, and Kerberos
> keytabs and Custodia keys for those principals, as part of the
> installation/upgrade process.
> Compared with additional SUID binary this seems as safer and easier way to go.
> FreeIPA installers already create quite a lot of principals and keytabs so
> this is well understood task.
> I would do (3).

+1 for (3)

A SUID binary feels like a dangerous hack.


Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to