> > On Friday, July 8th, 2022 at 1:02 PM, Rob Crittenden [email protected] 
> > wrote:
> > 

> > > Not sure what you mean by "wire traffic". It's a vault so perhaps you
> > > stored some keys there. IPA already encrypts all its own internal traffic.
> > 

> > When I first installed FreeIPA it did not yet default to encrypted traffic 
> > for all accesses.
> 

> 

> Can you expand on this? Literally all the KRA does is store secrets. It
> does not protect traffic unless you manually use those secrets to do so.
> 

Sorry for muddling my description. I was attempting to only show relative time 
frames. At about the same time, I was making changes to get wire traffic 
encrypted and ALSO thinking of switching some of my libvirt VMs to containers, 
which would require shared vaults. I made my changes for encrypted traffic 
about 6 weeks before the release that heralded all traffic being encrypted by 
default. KRA was installed but no vaults actually deployed since I decided to 
stick with VMs for now.

> There are URI records like:
> 

> kpasswd.example.test. 3600 IN URI 0 100 "krb5srv:m:tcp:ipa.example.test."

Thanks.

> > The word match for 'secret=(\w+)$' fails if the first character of the 
> > secret isn't alphanumeric. It would incorrectly handle a secret with 
> > embedded special characters, though I don't think it would trigger an 
> > error, except when the initial alphanumeric portion of the secret was in 
> > fact different.
> 

> 

> Ok yeah, bad regex.

Reported at https://github.com/freeipa/freeipa-healthcheck/issues/275

Best regards,
Eric

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to