#5347 ipa-kra-install includes certificate and private key in world readable file
Closed: Fixed None Opened 4 years ago by jcholast.

It was discovered that ipa-kra-install puts the CA agent certificate and private key to a world readable file, /etc/httpd/alias/kra-agent.pem. This allows users on an IPA server where ipa-kra-install was run to issue arbitrary certificates with the IPA CA.

The ipa-kra-install script configures the KRA subsystem of Dogtag, which is used for the Password Vault feature of IPA. During the configuration process, a KRA agent user account is created in Dogtag, which is used by IPA to authenticate to the KRA. Currently the KRA agent uses the same certificate and private key as the CA agent, which IPA uses to authenticate to the CA.

The kra-agent.pem file is necessary because the Dogtag client Python library does not support using a certificate and private key from a NSS database for authentication, so it is not possible to use the CA agent certificate and private key directly from their primary location, which is the NSS database at /etc/httpd/alias.


master:

  • 110e85c install: fix KRA agent PEM file permissions

ipa-4-2:

  • 55a66cc install: fix KRA agent PEM file permissions

Metadata Update from @jcholast:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.2.2

3 years ago

Login to comment on this ticket.

Metadata