: Re: [openstack-dev] Supporting SSH host certificates
And k8s has the benefit of already having been installed with certs that
had to get there somehow.. through a trust bootstrap.. usually SSH. ;)
Excerpts from Fox, Kevin M's message of 2017-10-09 17:37:17 +:
> Yeah, there is a way to
And k8s has the benefit of already having been installed with certs that
had to get there somehow.. through a trust bootstrap.. usually SSH. ;)
Excerpts from Fox, Kevin M's message of 2017-10-09 17:37:17 +:
> Yeah, there is a way to do it today. it really sucks though for most users.
> Due
Byrum [cl...@fewbar.com]
Sent: Friday, October 06, 2017 3:24 PM
To: openstack-dev
Subject: Re: [openstack-dev] Supporting SSH host certificates
Excerpts from Giuseppe de Candia's message of 2017-10-06 13:49:43 -0500:
> Hi Clint,
>
> Isn't user-data by definition available via the Metada
Excerpts from Giuseppe de Candia's message of 2017-10-06 13:49:43 -0500:
> Hi Clint,
>
> Isn't user-data by definition available via the Metadata API, which isn't
> considered secure:
> https://wiki.openstack.org/wiki/OSSN/OSSN-0074
>
Correct! The thinking is to account for the MITM attack
On 2017-10-06 13:49:43 -0500 (-0500), Giuseppe de Candia wrote:
> Isn't user-data by definition available via the Metadata API,
> which isn't considered secure:
> https://wiki.openstack.org/wiki/OSSN/OSSN-0074
[...]
It depends on who you are. If you're the one deploying/running nova
then you can
Hi Clint,
Isn't user-data by definition available via the Metadata API, which isn't
considered secure:
https://wiki.openstack.org/wiki/OSSN/OSSN-0074
Or is there a way to specify that certain user-data should only be
available via config-drive (and not metadata api)?
Otherwise, the only
rdata
> 4: https://athenz.io
>
>
> On Fri, Sep 29, 2017 at 5:17 PM, Fox, Kevin M <kevin@pnnl.gov> wrote:
>
>> https://review.openstack.org/#/c/93/
>> --
>> *From:* Giuseppe de Candia [giuseppe.decan...@gmail.com]
>> *Se
A long time ago, a few Canonical employees (Scott Moser was one of them,
forget who else was doing it, maybe Dave Walker and/or Dustin Kirkland)
worked out a scheme for general usage that doesn't require extra plumbing:
* Client generates a small SSH host key locally and pushes it into
user
--
>> *From:* Giuseppe de Candia [giuseppe.decan...@gmail.com]
>> *Sent:* Friday, September 29, 2017 1:05 PM
>> *To:* OpenStack Development Mailing List (not for usage questions)
>> *Subject:* Re: [openstack-dev] Supporting SSH host certificates
>>
>> Ihar, thanks
17 1:05 PM
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Subject:* Re: [openstack-dev] Supporting SSH host certificates
>
> Ihar, thanks for pointing that out - I'll definitely take a close look.
>
> Jon, I'm not very familiar with Barbican, but I did assum
https://review.openstack.org/#/c/93/
From: Giuseppe de Candia [giuseppe.decan...@gmail.com]
Sent: Friday, September 29, 2017 1:05 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] Supporting SSH host certificates
Hi Ihar,
I have reviewed https://review.openstack.org/#/c/456394/ (Fetch hostkey
from port) and noted that:
1) that discussion is likely to stay among the Neutron developers only
(whereas I would like a wider audience, especially including Nova
developers)
2) that proposal does not consider SSH
Ihar, thanks for pointing that out - I'll definitely take a close look.
Jon, I'm not very familiar with Barbican, but I did assume the full
implementation would use Barbican to store private keys. However, in terms
of actually getting a private key (or SSH host cert) into a VM instance,
Barbican
What you describe (at least the use case) seems to resemble
https://review.openstack.org/#/c/456394/ This work never moved
anywhere since the spec was posted though. You may want to revive the
discussion in scope of the spec.
Ihar
On Fri, Sep 29, 2017 at 12:21 PM, Giuseppe de Candia
Giuseppe ,
I'm pretty sure this is the project you want ot look into:
http://git.openstack.org/cgit/openstack/barbican/
"Barbican is a ReST API designed for the secure storage, provisioning
and management of secrets, including in OpenStack environments."
-Jon
On Fri, Sep 29, 2017 at
Hi Folks,
My intent in this e-mail is to solicit advice for how to inject SSH host
certificates into VM instances, with minimal or no burden on users.
Background (skip if you're already familiar with SSH certificates): without
host certificates, when clients ssh to a host for the first time
16 matches
Mail list logo