[Ovirt-devel] Ovirt Node Authorization and Security
Itamar Heim
iheim at redhat.com
Thu Jan 15 08:21:30 UTC 2009
> From: ovirt-devel-bounces at redhat.com [mailto:ovirt-devel-
> bounces at redhat.com] On Behalf Of Ian Main
...
>
> Highest: For each new machine brought into ovirt pool one would be
> required to have a keytab generated in advance and either copied into
> persistent storage on the machine or put on a USB stick etc.
[IH] why not use TPM? Maybe not to store the keytab, but to store a
private key or a certificate which will allow authentication and
encryption only to this machine?
>
> Moderate: Each time a node registers with the wui, it is placed in an
> authorization queue and is required to be authorized by an
> administrator before a keytab is generated for the node and made
> available for download. Any pertinent information about the node will be
> displayed in the list (MAC, maybe hardware ID etc.).
[IH] if you don't persist the keytab (or at least persist some private key
in TPM to encrypt to), then what prevents badnode1 from spoofing goodnode2
and get its keytab from the admin server?
>
> Open: As it is now, where a keytab is just downloaded automatically.
>
> I have a bit of a reservation around 'Moderate' as there may be
> multiple admins and someone might just assume a machine is fine
> and authorize it just because it's there. I guess that'd be up to
> the policy and SOP of the organization involved.
>
> I'm not sure what our requirements are for the release but as it stands
> currently we only implement the 'open' version.
>
> This sound reasonable to everyone?
>
> Ian
>
>
> _______________________________________________
> Ovirt-devel mailing list
> Ovirt-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/ovirt-devel
More information about the ovirt-devel
mailing list