Password management with FreeIPA

Safely Stored

Shared Safes

Administrators can create safes and share them with different users (Listing 1). Then, the desired data can be stored in the Team Safe:

# ipa vault-archive team-keys --shared --in ~/team-keys.txt --password-file passwd.txt
--------------------------------
Archived data into vault "team-keys"
--------------------------------

Listing 1

Shared Safe

# kinit admin
Password for admin@EXAMPLE.COM:
# ipa vault-add team-keys --desc "Team keys" --type symmetric --shared --password-file passwd.txt
-----------------------------------
Added vault "team-keys"
-----------------------------------
  Vault name: team-keys
  Description: Team keys
  Type: symmetric
  Salt: J0aMaMWKgxf+0I59b2DKkA==
  Owner users: admin
  Shared vault: True
# ipa vault-add-member team-keys --shared --groups schalke --users tscherf
  Vault name: team-keys
  Description: Team keys
  Type: symmetric
  Salt: J0aMaMWKgxf+0I59b2DKkA==
  Owner users: admin
  Shared vault: True
  Member users: tscherf
  Member groups: schalke
--------------------------------------
Number of members added 2
--------------------------------------

When a user who is a member of the safe logs on, they can query the data, as long they remember the password:

# kinit tscherf
Password for tscherf@EXAMPLE.COM:
[root@ipa01 ~]# ipa vault-retrieve team-keys --shared --out my-team-keys.txt --password-file passwd.txt

Asymmetric keys can be used instead of simple passwords; this is not only more secure, but also simplifies the handling of the safes (Listing 2).

Listing 2

Asymmetric Keys

# openssl genrsa -out mykey.pem 2048
# openssl rsa -in mykey.pem -pubout > mykey.pub
# ipa vault-add private --type asymmetric --public-key-file mykey.pub
----------------------
Added vault "private"
----------------------
  Vault name: private
  Type: asymmetric
  Public key:
    LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROE
    FNSUlCQ2dLQ0FRRUEycGtHL2YzTDd0VmpxblA2cTdPaApkMmJvbTFVTDhPeXdveXZTaXptdUYvME94
    NjErRWRIbmRld25icGlXYjdaaER4c05lVk14SXRpcGZZbW1tdzhKCml0RTVlcDhFa1U1VWhaemxsNW
    Q3eWFYU2VEa25pRVVE WUpMMkpHNDNJWmRFVVFuM1hWUWt4Q0xIN0xzVUI3V0oKUC94TFY4a1FHQXB
    QY1MzcUVyME44MTJ6Q1NPR1U1RDNvNTNoRFhhVG95Y1cwRW1UUldmNHQzNkFrcFhreGszbwo2eW0we
    UhJdmRCS3ZDbVRGVm1SeTdwVFlqbGxLVVNNYWpxSVNUdEFMRUxDclVySHZCSmJ6YzVqZmdUSVJYbVF
    nClhyV21UZXMzRHJqbFJjN2Q5MnpnZXJtUEtnbVRiMWxUL1pyVDhlQzB5Q0paSnNaSmJDOTVkVXRmK
    zNXZEFOY28KYXdJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner users: tscherf
  Vault user: tscherf
# ipa vault-archive private --in ~/data.txt
-----------------------------------
Archived data into vault "private"
-----------------------------------
# ipa vault-retrieve private --private-key-file=mykey.pem --out data.txt
--------------------------------------
Retrieved data from vault "private"
-------------------------------------

Conclusion

With KRA, FreeIPA introduces an extremely useful function that lets users set up safes, in which users and services can store data that is then passed securely to the FreeIPA back end.

The Author

Thorsten Scherf is a Principal Consultant for Red Hat EMEA. You can meet him as a speaker at conferences. He is also a keen marathon runner whenever time and his family permit.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Credential management with HashiCorp Vault
    Admin teams can use secret sharing to centrally manage shared access to user accounts and services. HashiCorp Vault is one of the few tools that has proven effective when it comes to implementing this solution. Here's how to use this open source tool and keep important credentials safe.
  • Integrating FreeIPA with Active Directory
    Many companies use Active Directory for centrally managing existing systems, but if you mix in Linux systems, you have to take care of a few things, such as different forms of integration. We show you how to connect the FreeIPA identity management framework as an interface to an Active Directory domain.
  • Centralized Password Management

    Time and again, situations arise in which admins need access to a system they do not otherwise manage. But, do you want to hand over responsibility for password management to a centralized software? What capabilities must that software have?

  • Requirements for centralized password management
    Time and again, situations arise in which admins need access to a system they do not otherwise manage. But, do you want to hand over responsibility for password management to a centralized software? What capabilities must that software have?
  • Jenkins Configuration as Code
    The move from Groovy scripts to Jenkins Configuration as Code simplifies the initialization of Jenkins and Jenkins plugins.
comments powered by Disqus