Bug 1983185 - [RFE] Have dedicated ssh keypair per each Organization Unit in Sat6
Summary: [RFE] Have dedicated ssh keypair per each Organization Unit in Sat6
Keywords:
Status: NEW
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Remote Execution
Version: 6.9.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Satellite QE Team
URL:
Whiteboard:
Depends On:
Blocks: 1541321
TreeView+ depends on / blocked
 
Reported: 2021-07-16 18:30 UTC by Andrea Perotti
Modified: 2023-07-21 21:06 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Andrea Perotti 2021-07-16 18:30:46 UTC 
Description of problem:

Satellite6 implement multitenancy, so multiple OrgUnit can be hosted on the Sat6 and different capsules may be dedicated to specific OUs.

This segregation is not applied to the REX feature, that use the same ssh keys to log into the hosts, regardless of to which OU each host belong to.

Wouldn't be better from a security PoV to have a ssh keypair per each OU and distribute the keys only to the capsules that need it?


Version-Release number of selected component (if applicable):

Satellite 6.9
Comment 2 Adam Ruzicka 2021-07-20 07:59:54 UTC 
In a way this should be already doable. Each capsule has its own key pair. If each capsule is assigned to exactly one organization, then you already have different keys for different organizations. Or am I missing something?

> Wouldn't be better from a security PoV to have a ssh keypair per each OU and distribute the keys only to the capsules that need it?

Currently the key pair gets generated on the capsule and the private key never leaves the machine and no other machine knows it. If we went with this suggestion, the private key would have to live on Satellite's side and be sent over to the capsules which require it, which doesn't exactly feel like a security win.

On a side note, satellite allows integrating with various IDMs which could possibly help here. Wouldn't that be an option?
Comment 3 Andrea Perotti 2021-10-05 07:36:58 UTC 
(In reply to Adam Ruzicka from comment #2)
> If each capsule is assigned to exactly one organization, then you already
> have different keys for different organizations. Or am I missing something?

This would be doable, at the same time highly overkill, especially if users
map a tenant in an openstack infra to a Sat6 OU, and tenants are a cheap, basic,
concept in the infra, so they spread.

> Currently the key pair gets generated on the capsule and the private key
> never leaves the machine and no other machine knows it. If we went with this
> suggestion, the private key would have to live on Satellite's side and be
> sent over to the capsules which require it, which doesn't exactly feel like
> a security win.

You are right, at the same time we may generate a new one on each capsule associated
with a OU or when that capsule is added to that OU, so no trasfer of keys and we have no
secretes shared among OUs

> On a side note, satellite allows integrating with various IDMs which could
> possibly help here. Wouldn't that be an option?

The concern reported is the existence of something shared between different entities,
that are expected to be totally independent, also from a Sat6 PoV.

thanks
Comment 7 Brad Buckingham 2023-07-21 21:06:39 UTC 
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. This message may be a repeat of a previous update and the bug is again being considered to be closed. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.
Note You need to log in before you can comment on or make changes to this bug.