Hello,
I have recently been looking into the password vault for IPA and would like to implement however I have not been able to find an answer to a compliance question on it yet.
Does the IPA PW vault limit checking out the password for a shared id to one person at a time? I am thinking this would ensure that personal accountability of that ID being used instead of allowing multiple people checking out the same id password.
RHEL 7.3 IPA 4.4
Sean Hogan
On Mon, Jan 08, 2018 at 08:44:29AM -0700, Sean Hogan via FreeIPA-users wrote:
Hello,
I have recently been looking into the password vault for IPA and would like to implement however I have not been able to find an answer to a compliance question on it yet.
Does the IPA PW vault limit checking out the password for a shared id to one person at a time? I am thinking this would ensure that personal accountability of that ID being used instead of allowing multiple people checking out the same id password.
RHEL 7.3 IPA 4.4
I'm not 100% sure what you are asking. Vault is for storing a secret. A shared vault means more than one person can read the vault. Authorised people can "retrieve" the secret, but the datam is the same for each person, and there is no concept of "checking out" or "locking".
Hope that helps, Fraser
Sean Hogan
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Fraser,
Thanks for the reply. Agreed that a vault stores a secret however when that secret is say a pw for a shared ID like for instance.... root. While a number of people can access the password for root in the vault I might not want 20 people using the root pw at the sametime because I am losing traceability as to who is using root. Other vaults use the concept of checking in/out the password so while it is checked out no one else can get the password leaving the tractability in tact. When the password is checked in then the password is automatically reset so the last person that knew it can no longer use it without going thru the check out process again which satisfies a lot of regulatory/audit concerns.
It would appear those types of features are not available in the IPA vault but wanted to confirm it with you all.
Sean Hogan
From: Fraser Tweedale via FreeIPA-users freeipa-users@lists.fedorahosted.org To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Sean Hogan schogan@us.ibm.com, Fraser Tweedale ftweedal@redhat.com Date: 01/08/2018 06:20 PM Subject: [Freeipa-users] Re: IPA Password Vault
On Mon, Jan 08, 2018 at 08:44:29AM -0700, Sean Hogan via FreeIPA-users wrote:
Hello,
I have recently been looking into the password vault for IPA and would like to implement however I have not been able to find an answer to a compliance question on it yet.
Does the IPA PW vault limit checking out the password for a shared id
to
one person at a time? I am thinking this would ensure that personal accountability of that ID being used instead of allowing multiple people checking out the same id password.
RHEL 7.3 IPA 4.4
I'm not 100% sure what you are asking. Vault is for storing a secret. A shared vault means more than one person can read the vault. Authorised people can "retrieve" the secret, but the datam is the same for each person, and there is no concept of "checking out" or "locking".
Hope that helps, Fraser
Sean Hogan
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Mon, Jan 08, 2018 at 06:48:11PM -0700, Sean Hogan via FreeIPA-users wrote:
Hi Fraser,
Thanks for the reply. Agreed that a vault stores a secret however when that secret is say a pw for a shared ID like for instance.... root. While a number of people can access the password for root in the vault I might not want 20 people using the root pw at the sametime because I am losing traceability as to who is using root. Other vaults use the concept of checking in/out the password so while it is checked out no one else can get the password leaving the tractability in tact. When the password is checked in then the password is automatically reset so the last person that knew it can no longer use it without going thru the check out process again which satisfies a lot of regulatory/audit concerns.
It would appear those types of features are not available in the IPA vault but wanted to confirm it with you all.
Hi Sean,
I can confirm that we don't support that. It is beyond the scope of what vault is (a simple secret store). What you really want is a system that releases unique one-time credentials to authorised users, and corresponding components on the target server(s) to validate these credentials (e.g. a PAM module) and generate relevant audit events. FreeIPA does not have this feature.
An alternative is to use HBAC rules and/or Sudo rules to limit who can log in to target servers, and who can perform particular privileged operations on target servers. FreeIPA enables this approach.
Cheers, Fraser
Sean Hogan
From: Fraser Tweedale via FreeIPA-users freeipa-users@lists.fedorahosted.org To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Sean Hogan schogan@us.ibm.com, Fraser Tweedale ftweedal@redhat.com Date: 01/08/2018 06:20 PM Subject: [Freeipa-users] Re: IPA Password Vault
On Mon, Jan 08, 2018 at 08:44:29AM -0700, Sean Hogan via FreeIPA-users wrote:
Hello,
I have recently been looking into the password vault for IPA and would like to implement however I have not been able to find an answer to a compliance question on it yet.
Does the IPA PW vault limit checking out the password for a shared id
to
one person at a time? I am thinking this would ensure that personal accountability of that ID being used instead of allowing multiple people checking out the same id password.
RHEL 7.3 IPA 4.4
I'm not 100% sure what you are asking. Vault is for storing a secret. A shared vault means more than one person can read the vault. Authorised people can "retrieve" the secret, but the datam is the same for each person, and there is no concept of "checking out" or "locking".
Hope that helps, Fraser
Sean Hogan
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Fraser Tweedale -
Sean Hogan