[Freeipa-devel] Understanding FreeIPA replica internals

[Simo Sorce]

On Fri, 2014-05-23 at 22:57 -0400, James wrote:
> On Fri, 2014-05-23 at 22:50 -0400, Simo Sorce wrote:
> > No, but those need to be accessible to the user, I think you can
> > create
> > a meta-package that contains those password when you create the first
> > master, encrypted in a gpg file with private keys only stored in the
> > freeipa servers.
> I do something similar for the admin.
> https://github.com/purpleidea/puppet-ipa/tree/feat/better-pw
> I'll blog (as docs) about the details shortly.
> 
> > 
> > Then you can move them around w/o puppet knowing what they contain,
> > although puppet will have to transfer at least public keys around.
> Are you okay with each individual ipa server having a different
> pub/private keypair, and a gpg encrypted file being passed around
> containing the cleartext dm_password ? The private key on each host
> wouldn't be able to have a password, _and_ ultimately someone with root
> could get the cleartext password, where as the current status quo
> probably hashes it. So I would see this as less secure.

The problem is, you need to use those password for the install, so you
have to have them somehow available on the systems themselves,
especially if you autogenerate them.

The admin will need to know to go on the systems, read and memorize/save
elsewhere the passwords and delete the gpg files.

We are bootstrapping the system here, so something needs to know those
secrets. The CA private certificate is also on one of those systems, so
if you decide puppet has access to them you have to come to terms with
the fact puppet will have access to the keys of the kingdom. If you do
not like that ... don't use puppet and manually install.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York