[Openstack-security] List of steps to perform to prepare or condition long term keys?
Kurt Seifried
kseifried at redhat.com
Tue Oct 29 18:39:38 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/29/2013 12:14 PM, Adam Young wrote:
> On 10/25/2013 03:25 AM, Jeffrey Walton wrote:
>> I was reading through the OpenStack Security Guide dated Oct 25
>> 2013 for Havana (http://docs.openstack.org/sec/). Good job on
>> that, by the way.
>>
>> Does anyone have a list of steps to perform to prepare or
>> condition long term keys? For example, SSH keys should be
>> regenerated, Samba's secret should probably be recreated (if
>> present), Ubuntu's Snake Oil key should probably be deleted (if
>> present), etc.
>>
>> I'm interested in both the bare metal OS and VM instances. (VM
>> instances are somewhat covered under Chapter 43).
>>
>> Thanks in advance.
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>>
In general, direct Key management is an Antipattern: they don't have
> revocation or expiration built in. Where possible, favor X509.
> For Automated management of X509 certificates we should coallesce
> around a soluition like Certmonger
> https://fedorahosted.org/certmonger/ . I am interested in getting
> together an unconference session around this, or I will try to work
> it into one of the security track discussions.
>
OpenSSH supports a modified/limited certificate format now since 5.4:
http://www.openssh.org/txt/release-5.4
But I agree, it's best to do this via X.509.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQIcBAEBAgAGBQJScADqAAoJEBYNRVNeJnmTA0wQAL/UVusTDXs1sGWQR0tC6rnk
WJBNpG68IzrVPnkRGGKIllKFUrSj8BsG5WXI6/jl7fcYLef1YPFDFqO4AObrnmk3
bvjGlS0bx5IFPLfxyZ7TEoQvKEOZgPexYjKjSZtlBGHi7d7W/VE+60I2ltk8RGXY
wL+wkfhjuudlf7X3qv+CGGbETu1lf58MXtx0CmmQmRXQUBuT6D5VXvX0H7X+pi6g
P56rGANk+5JMYMzpZ0/yqLfGdT1ROblKa3drrKJZqCAsqdzqM7iXZgYueNwJMPpV
0xnbh7NPk2MNEx4b3MljVRtRBA/KpHowlAUFCElQcmfkCvFs7bMpNGWqS8xX9MyF
3s6x87kp8R1iwf9AXOU9BjsTMkkFjQq6Cv2YBCqw1QSZaNQnsMLJMApimow9AAAL
LBpabGEhH8Y1qjTi0HtKM7GftNyyudHZ1D/oSch7J514/sY2a32pQiUyzfnGXHYP
FxaaFPWjTUs0zpqTBKmbUEmpJOj4c/mkih90KuDNMY4P+9TcWYlPSc/lhF7UECMg
HwzyXBCKKU8fhY5MqnOUkE59La1SIlS7Ol7nSYY1kBcfkGglUyW6Jc0BpwjPQuin
Y8HgPzYfPBcYCb/8LvrZWQYQSae9o3a2IxJk5EDSu3FtOcYLUJwZXJeyhE4dxZKJ
mXvx4HfUj7PJ6IhVsk/d
=UHb6
-----END PGP SIGNATURE-----
More information about the Openstack-security
mailing list