Re: [Freeipa-users] vaults and service accounts

2016-07-25 Thread Martin Basti 



On 25.07.2016 16:22, Anthony Clark wrote:
I wondered about that, but the docs specifically say public key, and 
the command line option to "ipa vault-add" is "--public-key"


From "ipa vault-add --help"

  --public-key=BYTESVault public key
  --public-key-file=STR   File containing the vault public key

So I hope you can understand my confusion ;)

Can anyone else speak to whether the newer versions of the vault code 
is any different?


Thank you, Martin!


Yeah sorry, I meant public key, private key is used for decipher.

My point was just not to use certificate.

Martin



On Mon, Jul 25, 2016 at 4:32 AM, Martin Basti > wrote:




On 24.07.2016 16:33, Anthony Clark wrote:

Hello All,

I have a crazy notion of storing a host's SSH private keys in a
ipa vault, so that a rebuilt host can use the same keys.

I'm on CentOS 7.2 and I'm using the RPMs available in the
standard centos base repository, so I'm constrained to version
1.0 vaults.  I'm using this page:

http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance

I'm trying these following steps but running into trouble:

ipa service-add ssh/test01.dev.redacted.net


certutil -N -d testcertdb

certutil -R -d testcertdb -a -g 2048 -s
'CN=test01.dev.redacted.net
,O=DEV.REDACTED.NET
'


ipa-getcert request -r -f testsshd01-cert.pem -k
testsshd01-key.pem -K
ssh/test01.dev.redacted@dev.redacted.net


ipa vault-add testsshd02 --service
ssh/test01.dev.redacted@dev.redacted.net
 --type
asymmetric --public-key-file testsshd01-cert.pem

the last command gives me "ipa: ERROR: invalid
'ipavaultpublickey': Invalid or unsupported vault public key:
Could not unserialize key data."

Is there a preferred way to create a public key for asymmetric
encryption for a service vault?

Thanks,

Anthony Clark




Hello,
I suspect you should use just private key, not certificate

https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL

Regards,
Martin




-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] vaults and service accounts

2016-07-25 Thread Anthony Clark 
I wondered about that, but the docs specifically say public key, and the
command line option to "ipa vault-add" is "--public-key"

>From "ipa vault-add --help"

  --public-key=BYTESVault public key
  --public-key-file=STR   File containing the vault public key

So I hope you can understand my confusion ;)

Can anyone else speak to whether the newer versions of the vault code is
any different?

Thank you, Martin!


On Mon, Jul 25, 2016 at 4:32 AM, Martin Basti  wrote:

>
>
> On 24.07.2016 16:33, Anthony Clark wrote:
>
> Hello All,
>
> I have a crazy notion of storing a host's SSH private keys in a ipa vault,
> so that a rebuilt host can use the same keys.
>
> I'm on CentOS 7.2 and I'm using the RPMs available in the standard centos
> base repository, so I'm constrained to version 1.0 vaults.  I'm using this
> page:
> http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance
>
> I'm trying these following steps but running into trouble:
>
> ipa service-add ssh/test01.dev.redacted.net
>
> certutil -N -d testcertdb
>
> certutil -R -d testcertdb -a -g 2048 -s 'CN=test01.dev.redacted.net,O=
> DEV.REDACTED.NET'
> 
>
> ipa-getcert request -r -f testsshd01-cert.pem -k testsshd01-key.pem -K ssh/
> test01.dev.redacted@dev.redacted.net
>
> ipa vault-add testsshd02 --service ssh/
> 
> test01.dev.redacted@dev.redacted.net --type asymmetric
> --public-key-file testsshd01-cert.pem
>
> the last command gives me "ipa: ERROR: invalid 'ipavaultpublickey':
> Invalid or unsupported vault public key: Could not unserialize key data."
>
> Is there a preferred way to create a public key for asymmetric encryption
> for a service vault?
>
> Thanks,
>
> Anthony Clark
>
>
>
> Hello,
> I suspect you should use just private key, not certificate
>
> https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL
>
> Regards,
> Martin
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] vaults and service accounts

2016-07-25 Thread Martin Basti 



On 24.07.2016 16:33, Anthony Clark wrote:

Hello All,

I have a crazy notion of storing a host's SSH private keys in a ipa 
vault, so that a rebuilt host can use the same keys.


I'm on CentOS 7.2 and I'm using the RPMs available in the standard 
centos base repository, so I'm constrained to version 1.0 vaults.  I'm 
using this page: 
http://www.freeipa.org/page/V4/Password_Vault_1.0#Provisioning_service_vault_password_for_service_instance


I'm trying these following steps but running into trouble:

ipa service-add ssh/test01.dev.redacted.net 



certutil -N -d testcertdb

certutil -R -d testcertdb -a -g 2048 -s 'CN=test01.dev.redacted.net 
,O=DEV.REDACTED.NET 
'



ipa-getcert request -r -f testsshd01-cert.pem -k testsshd01-key.pem -K 
ssh/test01.dev.redacted@dev.redacted.net 



ipa vault-add testsshd02 --service 
ssh/test01.dev.redacted@dev.redacted.net 
 --type asymmetric 
--public-key-file testsshd01-cert.pem


the last command gives me "ipa: ERROR: invalid 'ipavaultpublickey': 
Invalid or unsupported vault public key: Could not unserialize key data."


Is there a preferred way to create a public key for asymmetric 
encryption for a service vault?


Thanks,

Anthony Clark




Hello,
I suspect you should use just private key, not certificate

https://en.wikibooks.org/wiki/Cryptography/Generate_a_keypair_using_OpenSSL

Regards,
Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project