On Thu, Apr 07, 2016 at 12:29:00PM +0200, Jan Cholasta wrote: > On 7.4.2016 12:13, Christian Heimes wrote: > >On 2016-04-07 11:09, Petr Spacek wrote: > >>On 7.4.2016 08:43, Fraser Tweedale wrote: > >>>Hi team, > >>> > >>>I updated the Sub-CAs design page with more detail for the key > >>>replication[1]. This part of the design is nearly complete (a large > >>>patchset is in review over at pki-devel@) but there are various > >>>options about how to authenticate to Custodia. > >>> > >>>[1] http://www.freeipa.org/page/V4/Sub-CAs#Key_replication > >>> > >>>In brief, the options are: > >>> > >>>1) authenticate as host principal; install binary setuid > >>> root:pkiuser to read host keytab and custodia keys. > >> > >>Huh, I really do not like this. Host keytab on IPA master is one of the most > >>sensitive keys we have. > >> > >>Maybe gssproxy can be used somehow, but I think it would be better to use > >>separate key. > >> > >> > >>>2) authenticate as host principal; copy host keytab and custodia > >>> keys to location readable by pkiuser. > >> > >>No, really, do not copy host keytab anywhere. > >> > >> > >>>3) create new principal for pkiuser to use, along with custodia keys > >>> and keytab in location readable by pkiuser. > >>> > >>>I prefer option (1) for reasons outlined in the design page. The > >>>design page goes into quite a bit more detail so please review the > >>>section linked above and get back to me with your thoughts. > >> > >>The only downside of (3) using new keys is: > >>... This approach requires the creation of new principals, and Kerberos > >>keytabs and Custodia keys for those principals, as part of the > >>installation/upgrade process. > >> > >>Compared with additional SUID binary this seems as safer and easier way to > >>go. > >>FreeIPA installers already create quite a lot of principals and keytabs so > >>this is well understood task. > >> > >>I would do (3). > > > >+1 for (3) > > > >A SUID binary feels like a dangerous hack. > > +1 > OK, (3) it is. Thanks all for your input.
Now for next question: what should service principal name be? I think `dogtag/example....@example.com' but am open to other suggestions, e.g. `pki/...'. Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code