On Mon, Jan 08, 2018 at 06:48:11PM -0700, Sean Hogan via FreeIPA-users wrote:
> 
> Hi Fraser,
> 
>   Thanks for the reply.  Agreed that a vault stores a secret however when
> that secret is say a pw for a shared ID like for instance.... root.   While
> a number of people can access the password for root in the vault I might
> not want 20 people using the root pw at the sametime because I am losing
> traceability as to who is using root.  Other vaults use the concept of
> checking in/out the password so while it is checked out no one else can get
> the password leaving the tractability in tact.  When the password is
> checked in then the password is automatically reset so the last person that
> knew it can no longer use it without going thru the check out process again
> which satisfies a lot of regulatory/audit concerns.
> 
> 
>   It would appear those types of features are not available in the IPA
> vault but wanted to confirm it with you all.
> 
Hi Sean,

I can confirm that we don't support that.  It is beyond the scope of
what vault is (a simple secret store).  What you really want is a
system that releases unique one-time credentials to authorised
users, and corresponding components on the target server(s) to
validate these credentials (e.g. a PAM module) and generate relevant
audit events.  FreeIPA does not have this feature.

An alternative is to use HBAC rules and/or Sudo rules to limit who
can log in to target servers, and who can perform particular
privileged operations on target servers.  FreeIPA enables this
approach.

Cheers,
Fraser

> 
> Sean Hogan
> 
> 
> 
> 
> 
> 
> 
> From: Fraser Tweedale via FreeIPA-users
>             <freeipa-users@lists.fedorahosted.org>
> To:   FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> Cc:   Sean Hogan <scho...@us.ibm.com>, Fraser Tweedale
>             <ftwee...@redhat.com>
> Date: 01/08/2018 06:20 PM
> Subject:      [Freeipa-users] Re: IPA Password Vault
> 
> 
> 
> On Mon, Jan 08, 2018 at 08:44:29AM -0700, Sean Hogan via FreeIPA-users
> wrote:
> >
> >
> >   Hello,
> >
> >  I have recently been looking into the password vault for IPA and would
> > like to implement however I have not been able to find an answer to a
> > compliance question on it yet.
> >
> >
> >    Does the IPA PW vault limit checking out the password for a shared id
> to
> > one person at a time?  I am thinking this would ensure that personal
> > accountability of that ID being used instead of allowing multiple people
> > checking out the same id password.
> >
> > RHEL 7.3 IPA 4.4
> >
> I'm not 100% sure what you are asking.  Vault is for storing a
> secret.  A shared vault means more than one person can read the
> vault.  Authorised people can "retrieve" the secret, but the datam
> is the same for each person, and there is no concept of "checking
> out" or "locking".
> 
> Hope that helps,
> Fraser
> 
> >
> >
> > Sean Hogan
> >
> >
> >
> >
> >
> >
> 
> 
> 
> 
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
> 



> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to