Bug 746036
Summary: | [RFE] Host SSH keys | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sigbjorn Lie <sigbjorn> |
Component: | ipa | Assignee: | Martin Kosek <mkosek> |
Status: | CLOSED WONTFIX | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.0 | CC: | dpal, jgalipea, mkosek |
Target Milestone: | rc | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-02-19 11:46:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 756082 |
Description
Sigbjorn Lie
2011-10-13 17:47:49 UTC
How would this key be used? We can add it as a lump of data relatively easily, but what do you want us to do with it? Put it back on the host when it's re-installed... See my conversation with sgallagh on #freeipa. Upstream ticket: https://fedorahosted.org/freeipa/ticket/1978 I think the goal here is that if a host was reinstalled, we want ipa-client-install to be able to restore the host key saved in FreeIPA. (Or in the case of bulk enrollment, push it down on the initial install). The same key will later be useful to have once we're supporting central host-keys for trust. Oh, you want to store SSH *private* keys in IPA! We had some discussion about storing the public host keys, not sure that the private keys came up. We'd need to be pretty careful with them. For the record, here is the original conversation: 01:25:51 PM) sgallagh: SSH key management is tricky (because the openssh community isn't very helpful) (01:25:58 PM) Silikon: sgallagh: ok. will there be a ssh host key management at some point? (01:26:12 PM) sgallagh: We'd like to (01:26:24 PM) sgallagh: But I'm going to say probably not in 3.0 (01:26:33 PM) Silikon: sgallagh: hehe. :) isn't host key management easier to accomplish than user key management? (01:27:15 PM) sgallagh: Ah, sorry. Missed the host/user comment. (01:27:30 PM) sgallagh: Either way requires a certain amount of buy-in from the openssh developers (01:27:42 PM) sgallagh: And they have a very strong "If I didn't think of it, it must be a bad idea" mentality (01:27:52 PM) Silikon: that sucks... (01:27:55 PM) sgallagh: Yes (01:28:07 PM) sgallagh: But we're looking into it (01:28:24 PM) sgallagh: But I wouldn't want you to oversell what we're going to have ready for 3.0 :) (01:28:54 PM) Silikon: but...(you have probably though about this already, but here goes :) ).what if you store the ssh key with the host object, and deploy the ssh-host keys upon deployment of the ipa-client? (01:29:17 PM) Silikon: sgallagh: ok, I will keep that in mind. :) 13:30 (01:30:17 PM) sgallagh: Silikon: The host keys are usually generated on the clients (01:30:36 PM) sgallagh: The point of a host key storage would be so that users could ask FreeIPA for a list of trusted hosts (01:30:37 PM) Silikon: sgallagh: I know, it drives me crazy! (01:30:44 PM) sgallagh: This wouldn't help that (01:31:02 PM) sgallagh: Clients connecting to those hosts would still have to click through the key verification the first time (01:31:13 PM) sgallagh: Which we've cleverly trained people to blindly accept at this point :-( (01:31:52 PM) Silikon: ah, ok. I was looking for a central store where the hosts' ssh key we're stored, so when I re-install a workstation the existing ssh key was re-used, not a new ssh-host-key generated. (01:31:54 PM) Silikon: exactly!! (01:32:09 PM) Silikon: I click (almost) blindly to yes as well (01:32:22 PM) Silikon: it defies the entire purpose of the question (01:32:36 PM) Silikon: I notice Ubuntu has even gone as far as auto-accepting a new hosts key! (01:32:57 PM) sgallagh: Silikon: That's... horrific. (01:33:17 PM) sgallagh: Yet another reason why anyone security-conscious shouldn't touch Ubuntu with a ten foot pole (01:33:19 PM) Silikon: sgallagh: I know...I feel ashamed!!! :( (01:33:37 PM) sgallagh: Silikon: That's an interesting idea though (about being able to re-provision with the same key) (01:33:41 PM) Silikon: sgallagh: hehehheheheheheheh! :) (01:33:46 PM) sgallagh: Silikon: Would you mind opening an RFE? (01:34:53 PM) Silikon: sgallagh: sure, I'll get on to it Thank you taking your time and submitting this request for Red Hat Enterprise Linux. The request was cloned to the upstream tracker long time ago (see link to the upstream ticket above), but it was unfortunately not given a priority neither in the upstream project, nor in Red Hat Enterprise Linux. Given that this request is not planned for a close release, it is highly unlikely it will be fixed in this major version of Red Hat Enterprise Linux. We are therefore closing the request as WONTFIX. To request that Red Hat reconsiders the decision, please reopen the Bugzilla with the help of Red Hat Customer Service and provide additional business and/or technical details about it's importance to you. Please note that you can still track this request or even offer help in the referred upstream Trac ticket to expedite the solution. |