[Freeipa-devel] Understanding FreeIPA replica internals
James
purpleidea at gmail.com
Sat May 24 02:57:51 UTC 2014
On Fri, 2014-05-23 at 22:50 -0400, Simo Sorce wrote:
> No, but those need to be accessible to the user, I think you can
> create
> a meta-package that contains those password when you create the first
> master, encrypted in a gpg file with private keys only stored in the
> freeipa servers.
I do something similar for the admin.
https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw
I'll blog (as docs) about the details shortly.
>
> Then you can move them around w/o puppet knowing what they contain,
> although puppet will have to transfer at least public keys around.
Are you okay with each individual ipa server having a different
pub/private keypair, and a gpg encrypted file being passed around
containing the cleartext dm_password ? The private key on each host
wouldn't be able to have a password, _and_ ultimately someone with root
could get the cleartext password, where as the current status quo
probably hashes it. So I would see this as less secure.
>
> Simo.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140523/e7323091/attachment.sig>
More information about the Freeipa-devel
mailing list