« Previous 1 2
Password management with FreeIPA
Safely Stored
Shared Safes
Administrators can create safes and share them with different users (Listing 1). Then, the desired data can be stored in the Team Safe:
# ipa vault-archive team-keys --shared --in ~/team-keys.txt --password-file passwd.txt -------------------------------- Archived data into vault "team-keys" --------------------------------
Listing 1
Shared Safe
# kinit admin Password for admin@EXAMPLE.COM: # ipa vault-add team-keys --desc "Team keys" --type symmetric --shared --password-file passwd.txt ----------------------------------- Added vault "team-keys" ----------------------------------- Vault name: team-keys Description: Team keys Type: symmetric Salt: J0aMaMWKgxf+0I59b2DKkA== Owner users: admin Shared vault: True # ipa vault-add-member team-keys --shared --groups schalke --users tscherf Vault name: team-keys Description: Team keys Type: symmetric Salt: J0aMaMWKgxf+0I59b2DKkA== Owner users: admin Shared vault: True Member users: tscherf Member groups: schalke -------------------------------------- Number of members added 2 --------------------------------------
When a user who is a member of the safe logs on, they can query the data, as long they remember the password:
# kinit tscherf Password for tscherf@EXAMPLE.COM: [root@ipa01 ~]# ipa vault-retrieve team-keys --shared --out my-team-keys.txt --password-file passwd.txt
Asymmetric keys can be used instead of simple passwords; this is not only more secure, but also simplifies the handling of the safes (Listing 2).
Listing 2
Asymmetric Keys
# openssl genrsa -out mykey.pem 2048 # openssl rsa -in mykey.pem -pubout > mykey.pub # ipa vault-add private --type asymmetric --public-key-file mykey.pub ---------------------- Added vault "private" ---------------------- Vault name: private Type: asymmetric Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROE FNSUlCQ2dLQ0FRRUEycGtHL2YzTDd0VmpxblA2cTdPaApkMmJvbTFVTDhPeXdveXZTaXptdUYvME94 NjErRWRIbmRld25icGlXYjdaaER4c05lVk14SXRpcGZZbW1tdzhKCml0RTVlcDhFa1U1VWhaemxsNW Q3eWFYU2VEa25pRVVE WUpMMkpHNDNJWmRFVVFuM1hWUWt4Q0xIN0xzVUI3V0oKUC94TFY4a1FHQXB QY1MzcUVyME44MTJ6Q1NPR1U1RDNvNTNoRFhhVG95Y1cwRW1UUldmNHQzNkFrcFhreGszbwo2eW0we UhJdmRCS3ZDbVRGVm1SeTdwVFlqbGxLVVNNYWpxSVNUdEFMRUxDclVySHZCSmJ6YzVqZmdUSVJYbVF nClhyV21UZXMzRHJqbFJjN2Q5MnpnZXJtUEtnbVRiMWxUL1pyVDhlQzB5Q0paSnNaSmJDOTVkVXRmK zNXZEFOY28KYXdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== Owner users: tscherf Vault user: tscherf # ipa vault-archive private --in ~/data.txt ----------------------------------- Archived data into vault "private" ----------------------------------- # ipa vault-retrieve private --private-key-file=mykey.pem --out data.txt -------------------------------------- Retrieved data from vault "private" -------------------------------------
Conclusion
With KRA, FreeIPA introduces an extremely useful function that lets users set up safes, in which users and services can store data that is then passed securely to the FreeIPA back end.
Infos
- KeePass: http://keepass.info
- Password vault design: http://www.freeipa.org/page/V4/Password_Vault/Design
« Previous 1 2
Buy this article as PDF
(incl. VAT)