[Ovirt-devel] Ovirt Node Authorization and Security
Perry Myers
pmyers at redhat.com
Thu Jan 15 14:38:15 UTC 2009
Itamar Heim wrote:
>> From: ovirt-devel-bounces at redhat.com [mailto:ovirt-devel-
>> bounces at redhat.com] On Behalf Of Ian Main
> ...
>> Highest: For each new machine brought into ovirt pool one would be
>> required to have a keytab generated in advance and either copied into
>> persistent storage on the machine or put on a USB stick etc.
> [IH] why not use TPM? Maybe not to store the keytab, but to store a
> private key or a certificate which will allow authentication and
> encryption only to this machine?
We have plans to use the TPM but that doesn't solve the bootstrapping
issue. You still need a way of getting the keytab from the ovirt server
to the Node in a secure fashion. That is what Ian is describing.
Once you get the keytab to the Node via USB thumbdrive (secure mode) or
network transfer (less secure mode) it can certainly be stored in the TPM.
>> Moderate: Each time a node registers with the wui, it is placed in an
>> authorization queue and is required to be authorized by an
>> administrator before a keytab is generated for the node and made
>> available for download. Any pertinent information about the node will be
>> displayed in the list (MAC, maybe hardware ID etc.).
> [IH] if you don't persist the keytab (or at least persist some private key
> in TPM to encrypt to), then what prevents badnode1 from spoofing goodnode2
> and get its keytab from the admin server?
We can (and do) persist the keytab, it all depends on your threat model.
If you are convinced you are on a 'secure management network' (does not
really exist IMHO, but some people believe it) then you don't need
kerberos for the Nodes at all really. But we don't want different
transport mechanisms for the 'secure lan' vs. 'unsecure lan' cases so we
do the automatic keytab transfer.
If you're using an unsecure management lan then certainly you need
persistent keytab via either TPM or hard disk.
Again, these concepts are somewhat orthogonal to what Ian is discussing
(bootstrap issue).
The concepts at play are:
1. bootstrapping - how do you initially register a host and get the keytab
from server to host (secure: sneakernet, unsecure: over the lan)
2. key storage/persistence: none, hard disk/usb drive, TPM
Ian was just discussing point 1. For point 2 the only thing we're missing
presently is usage of TPM if available. It's on the features roadmap,
just not sure when we're going to get to it.
Perry
More information about the ovirt-devel
mailing list