Re: [openstack-dev] [security] Security PTG Planning, x-project request for topics.

2018-02-06 Thread Giuseppe de Candia
6, 2018 at 4:21 PM, Giuseppe de Candia < > giuseppe.decan...@gmail.com> wrote: > >> Hi Folks, >> >> I know the request is very late, but I wasn't aware of this SIG until >> recently. Would it be possible to present a new project to the Security SIG >> a

Re: [openstack-dev] [security] Security PTG Planning, x-project request for topics.

2018-02-06 Thread Giuseppe de Candia
Hi Folks, I know the request is very late, but I wasn't aware of this SIG until recently. Would it be possible to present a new project to the Security SIG at the PTG? I need about 30 minutes. I'm hoping to drum up interest in the project, sign on users and contributors and get feedback. For the

Re: [openstack-dev] Supporting SSH host certificates

2017-10-06 Thread Giuseppe de Candia
Hi Clint, Isn't user-data by definition available via the Metadata API, which isn't considered secure: https://wiki.openstack.org/wiki/OSSN/OSSN-0074 Or is there a way to specify that certain user-data should only be available via config-drive (and not metadata api)? Otherwise, the only

Re: [openstack-dev] Supporting SSH host certificates

2017-10-06 Thread Giuseppe de Candia
rdata > 4: https://athenz.io > > > On Fri, Sep 29, 2017 at 5:17 PM, Fox, Kevin M <kevin@pnnl.gov> wrote: > >> https://review.openstack.org/#/c/93/ >> -- >> *From:* Giuseppe de Candia [giuseppe.decan...@gmail.com] >> *Se

Re: [openstack-dev] Security of Meta-Data

2017-10-04 Thread Giuseppe de Candia
Hi Folks, I'm still processing all this information - thanks for your help! --Pino On Wed, Oct 4, 2017 at 7:58 AM, Jeremy Stanley wrote: > On 2017-10-04 10:47:02 +0100 (+0100), Luke Hinds wrote: > [...] > > The recommendation is not to use metadata for security sensitive >

[openstack-dev] Security of Meta-Data

2017-10-03 Thread Giuseppe de Candia
Hi Folks, Are there any documented conventions regarding the security model for MetaData? Note that CloudInit allows passing user and ssh service public/private keys via MetaData service (or ConfigDrive). One assumes it must be secure, but I have not found a security model or documentation.

Re: [openstack-dev] Supporting SSH host certificates

2017-09-29 Thread Giuseppe de Candia
/introducing-the-uber-ssh-certificate-authority-4f840839c5cc On Fri, Sep 29, 2017 at 3:05 PM, Giuseppe de Candia < giuseppe.decan...@gmail.com> wrote: > Ihar, thanks for pointing that out - I'll definitely take a close look. > > Jon, I'm not very familiar with Barbican, but I did

Re: [openstack-dev] Supporting SSH host certificates

2017-09-29 Thread Giuseppe de Candia
gt; Ihar > > On Fri, Sep 29, 2017 at 12:21 PM, Giuseppe de Candia > <giuseppe.decan...@gmail.com> wrote: > > Hi Folks, > > > > > > > > My intent in this e-mail is to solicit advice for how to inject SSH host > > certificates into VM instances, wit

[openstack-dev] Supporting SSH host certificates

2017-09-29 Thread Giuseppe de Candia
Hi Folks, My intent in this e-mail is to solicit advice for how to inject SSH host certificates into VM instances, with minimal or no burden on users. Background (skip if you're already familiar with SSH certificates): without host certificates, when clients ssh to a host for the first time