Re: [Freeipa-devel] access control for cert generation

2009-10-21 Thread Dmitri Pal
Rob Crittenden wrote:
 Dmitri Pal wrote:
 Rob Crittenden wrote:
 I touched on this a little in IRC, figured I'd move it to the list for
 a fuller conversation.

 I'm in the process of adding access controls to machines requesting
 certificates for themselves.

 Let me first show what happens when a certificate request occurs:

 - Some authenticated entity generates a CSR and submits a request.
 This request consists of a service principal name and the CSR
 - If the hostname of the CSR matches the hostname of the requestor it
 is passed to the CA (optionally an entity may be granted to issue
 certs for any host)
 - the CA automatically issues a certificate and returns the cert blob
 - If the service already exists, the cert blob is added to the entry
 - If not and it was requested, a service record is created for the
 service principal
 - Finally the cert text is returned to the client

 So a couple of things here:

 - Do we want any machine to be able to generate certificates for
 itself? Steve was a bit nervous about this.

 I think there is a difference between host cert for the system and
 service cert for the same host.

 Not really. What is this host cert going to be used for? The only kind
 of cert we currently issue is for SSL servers, not for identity (e.g.
 no client certs).


Well I think this is the problem. In my mind there is a cert for the
host that is created during enrollment that is used for the host itself
and not bound to any service running on the host.
This cert is used only for SSL communication with IPA server in cases
when the keytab can't be used or for host to host authentication in the
VPN case for example.

And then there are certs that are bound to specific services. They have
some specific attribute that binds it to the service.


 Issuance or tracking of the service certs needs to be initiated by the
 user that has rights to request tracking or creation of a specific
 service cert. 

 Ok, that's fine, but it precludes generating an SSL cert in a
 kickstart without providing some sort of credential. I was planning on
 using the host keytab to get the certificate. If that is out then my
 life becomes much, much simpler.

I thought that it is either user's credential or OTP is required to
initiate the sequence.
I think we need a quick call about these things to sort out the assumptions.
I will set up something for tomorrow.



 So without this initial authorization I do not thin the host can do
 anything with the cert for the service running on the host.
 This means that the initial cert tracking issuance request should create
 some kind of the attribute that will be used in the ACI rule to check if
 this cert can then later on be re-requested by the host.

 Does this approach make sense?

 We currently have access controls for users to request certs for
 hosts. That should be adequate to cover this.

 So it sounds like there is nothing to do here, move along :-)

I am not sure. I think we are missing something.


 rob

 - If not, do we want a group to specify which machines can do
 requests? Could get cumbersome to manage at some point but otherwise
 it would be a manual process to say Steve's laptop can't request
 certs.
 - machines will need permission to write service entries. Do we want
 to grant this access to all machines? I might need some help from the
 389 team to write an ACI that lets us control machines only writing
 service principals for themselves. I'd essentially need to pull out
 the hostname part of the krbprincipalname and somehow use that to
 limit write access to host/hostn...@realm. I can do it in code but
 then someone could do an ldapmodify to add a service and go around our
 XML-RPC interface (very naughty).

 rob
 


 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel



 

 ___
 Freeipa-devel mailing list
 Freeipa-devel@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


---
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Re: [Freeipa-devel] access control for cert generation

2009-10-20 Thread Rob Crittenden

Dmitri Pal wrote:

Rob Crittenden wrote:

I touched on this a little in IRC, figured I'd move it to the list for
a fuller conversation.

I'm in the process of adding access controls to machines requesting
certificates for themselves.

Let me first show what happens when a certificate request occurs:

- Some authenticated entity generates a CSR and submits a request.
This request consists of a service principal name and the CSR
- If the hostname of the CSR matches the hostname of the requestor it
is passed to the CA (optionally an entity may be granted to issue
certs for any host)
- the CA automatically issues a certificate and returns the cert blob
- If the service already exists, the cert blob is added to the entry
- If not and it was requested, a service record is created for the
service principal
- Finally the cert text is returned to the client

So a couple of things here:

- Do we want any machine to be able to generate certificates for
itself? Steve was a bit nervous about this.


I think there is a difference between host cert for the system and
service cert for the same host.


Not really. What is this host cert going to be used for? The only kind 
of cert we currently issue is for SSL servers, not for identity (e.g. no 
client certs).



Issuance or tracking of the service certs needs to be initiated by the
user that has rights to request tracking or creation of a specific
service cert. 


Ok, that's fine, but it precludes generating an SSL cert in a kickstart 
without providing some sort of credential. I was planning on using the 
host keytab to get the certificate. If that is out then my life becomes 
much, much simpler.



So without this initial authorization I do not thin the host can do
anything with the cert for the service running on the host.
This means that the initial cert tracking issuance request should create
some kind of the attribute that will be used in the ACI rule to check if
this cert can then later on be re-requested by the host.

Does this approach make sense?


We currently have access controls for users to request certs for hosts. 
That should be adequate to cover this.


So it sounds like there is nothing to do here, move along :-)

rob


- If not, do we want a group to specify which machines can do
requests? Could get cumbersome to manage at some point but otherwise
it would be a manual process to say Steve's laptop can't request certs.
- machines will need permission to write service entries. Do we want
to grant this access to all machines? I might need some help from the
389 team to write an ACI that lets us control machines only writing
service principals for themselves. I'd essentially need to pull out
the hostname part of the krbprincipalname and somehow use that to
limit write access to host/hostn...@realm. I can do it in code but
then someone could do an ldapmodify to add a service and go around our
XML-RPC interface (very naughty).

rob


___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel







smime.p7s
Description: S/MIME Cryptographic Signature
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel