[Openstack-security] List of steps to perform to prepare or condition long term keys?
Adam Young
ayoung at redhat.com
Tue Oct 29 18:14:54 UTC 2013
On 10/25/2013 03:25 AM, Jeffrey Walton wrote:
> I was reading through the OpenStack Security Guide dated Oct 25 2013
> for Havana (http://docs.openstack.org/sec/). Good job on that, by the
> way.
>
> Does anyone have a list of steps to perform to prepare or condition
> long term keys? For example, SSH keys should be regenerated, Samba's
> secret should probably be recreated (if present), Ubuntu's Snake Oil
> key should probably be deleted (if present), etc.
>
> I'm interested in both the bare metal OS and VM instances. (VM
> instances are somewhat covered under Chapter 43).
>
> Thanks in advance.
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
In general, direct Key management is an Antipattern: they don't have
revocation or expiration built in. Where possible, favor X509. For
Automated management of X509 certificates we should coallesce around a
soluition like Certmonger https://fedorahosted.org/certmonger/ . I am
interested in getting together an unconference session around this, or I
will try to work it into one of the security track discussions.
More information about the Openstack-security
mailing list