Bug 1983185
| Summary: | [RFE] Have dedicated ssh keypair per each Organization Unit in Sat6 | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Andrea Perotti <aperotti> |
| Component: | Remote Execution | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | NEW --- | QA Contact: | Satellite QE Team <sat-qe-bz-list> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.9.0 | CC: | aruzicka, lstejska, rlavi |
| Target Milestone: | Unspecified | Keywords: | FutureFeature |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1541321 | ||
|
Description
Andrea Perotti
2021-07-16 18:30:46 UTC
In a way this should be already doable. Each capsule has its own key pair. If each capsule is assigned to exactly one organization, then you already have different keys for different organizations. Or am I missing something?
> Wouldn't be better from a security PoV to have a ssh keypair per each OU and distribute the keys only to the capsules that need it?
Currently the key pair gets generated on the capsule and the private key never leaves the machine and no other machine knows it. If we went with this suggestion, the private key would have to live on Satellite's side and be sent over to the capsules which require it, which doesn't exactly feel like a security win.
On a side note, satellite allows integrating with various IDMs which could possibly help here. Wouldn't that be an option?
(In reply to Adam Ruzicka from comment #2) > If each capsule is assigned to exactly one organization, then you already > have different keys for different organizations. Or am I missing something? This would be doable, at the same time highly overkill, especially if users map a tenant in an openstack infra to a Sat6 OU, and tenants are a cheap, basic, concept in the infra, so they spread. > Currently the key pair gets generated on the capsule and the private key > never leaves the machine and no other machine knows it. If we went with this > suggestion, the private key would have to live on Satellite's side and be > sent over to the capsules which require it, which doesn't exactly feel like > a security win. You are right, at the same time we may generate a new one on each capsule associated with a OU or when that capsule is added to that OU, so no trasfer of keys and we have no secretes shared among OUs > On a side note, satellite allows integrating with various IDMs which could > possibly help here. Wouldn't that be an option? The concern reported is the existence of something shared between different entities, that are expected to be totally independent, also from a Sat6 PoV. thanks Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team. Thank you. |