If a deployment wants to implement option 3b from this article http://rhelblog.redhat.com/2016/07/13/i-really-cant-rename-my-hosts/ they need to manage user private keys on the jump hosts as well as upload public SSH key to IdM. This RFE calls for a way to allow the jump hosts to create an SSH key for a newly logged user and save it via custodia in IdM vault. The public SSH key should be uploaded into the user entry. The idea is to have this all automated so that administrators do not need to create and share SSH keys manually between the jump hosts but rather get the user private SSH keys from IPA vault via custodia automatically.
I do not know whether custodia is needed here. Maybe a direct API will be usable in this case.
Jump hosts are IdM registered hosts so they will have a keytab and can run other commands. I wonder how hard to implement something like this in a simple shell or python script using existing CLI even without custodia.
I don't think that host keytab can be used now because vault API currently doesn't support setting host as a vault member(escrow use case). Support for it might be added or it can be worked around with service keytab.
It will be slow now. But AFAIK Ade and Endi has been working on improving vault performance so it will change.
There needs to be something which will set the jump host/service as a vault member of user's vault (specific?). Alternatively an ACI which would allow creation of user vault by the host/service - but this seems rather dangerous to me, so it would have to be properly limited.
Maybe something else..
Here is my thought process:
- The bridging to SSH keys is the only option to work around the renaming of the hosts, we know that - Option introduces overhead to manage the SSH keys - If we can provide a solution that would manage keys automatically we effectively create an end-to-end solution that works around the limitations related to renaming hosts without adding extra administrative overhead.
Of cause the solution needs to be properly designed and be secure and performant. It seems it is just a gap that we need to close at some point. I wonder if it can be closed in a simple way with what we already have or it requires a lot of extra work on the components to tie things together.
This ticket is an example of what people would like to try to do with the vault so if Vault is not capable we need to fix it.
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: Future Releases
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.