On Thu, 2016-04-07 at 16:43 +1000, Fraser Tweedale wrote: > Hi team, > > I updated the Sub-CAs design page with more detail for the key > replication. This part of the design is nearly complete (a large > patchset is in review over at pki-devel@) but there are various > options about how to authenticate to Custodia. > >  http://www.freeipa.org/page/V4/Sub-CAs#Key_replication > > In brief, the options are: > > 1) authenticate as host principal; install binary setuid > root:pkiuser to read host keytab and custodia keys. > > 2) authenticate as host principal; copy host keytab and custodia > keys to location readable by pkiuser. > > 3) create new principal for pkiuser to use, along with custodia keys > and keytab in location readable by pkiuser. > > I prefer option (1) for reasons outlined in the design page. The > design page goes into quite a bit more detail so please review the > section linked above and get back to me with your thoughts.
I haven't read the whole design completely yet (sorry, busy with some critical bug), only the Key Replication part. We are moving toward removing access to the HTTP key from even the IPA framework, and I would definitely not want to give access to the host keytab to unprivileged processes. So I lean very heavily on (3). Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code