To: openstack-dev
Subject: Re: [openstack-dev] Supporting SSH host certificates
And k8s has the benefit of already having been installed with certs that
had to get there somehow.. through a trust bootstrap.. usually SSH. ;)
Excerpts from Fox, Kevin M's message of 2017-10-09 17:37:17 +:
&
And k8s has the benefit of already having been installed with certs that
had to get there somehow.. through a trust bootstrap.. usually SSH. ;)
Excerpts from Fox, Kevin M's message of 2017-10-09 17:37:17 +:
> Yeah, there is a way to do it today. it really sucks though for most users.
> Due t
_
From: Clint Byrum [cl...@fewbar.com]
Sent: Friday, October 06, 2017 3:24 PM
To: openstack-dev
Subject: Re: [openstack-dev] Supporting SSH host certificates
Excerpts from Giuseppe de Candia's message of 2017-10-06 13:49:43 -0500:
> Hi Clint,
>
> Isn't user-data by
Excerpts from Giuseppe de Candia's message of 2017-10-06 13:49:43 -0500:
> Hi Clint,
>
> Isn't user-data by definition available via the Metadata API, which isn't
> considered secure:
> https://wiki.openstack.org/wiki/OSSN/OSSN-0074
>
Correct! The thinking is to account for the MITM attack vecto
On 2017-10-06 13:49:43 -0500 (-0500), Giuseppe de Candia wrote:
> Isn't user-data by definition available via the Metadata API,
> which isn't considered secure:
> https://wiki.openstack.org/wiki/OSSN/OSSN-0074
[...]
It depends on who you are. If you're the one deploying/running nova
then you can t
Hi Clint,
Isn't user-data by definition available via the Metadata API, which isn't
considered secure:
https://wiki.openstack.org/wiki/OSSN/OSSN-0074
Or is there a way to specify that certain user-data should only be
available via config-drive (and not metadata api)?
Otherwise, the only differen
ub.com/mikalstill/vendordata
> 4: https://athenz.io
>
>
> On Fri, Sep 29, 2017 at 5:17 PM, Fox, Kevin M wrote:
>
>> https://review.openstack.org/#/c/93/
>> --
>> *From:* Giuseppe de Candia [giuseppe.decan...@gmail.com]
>> *Sent:* Friday, September 29, 20
A long time ago, a few Canonical employees (Scott Moser was one of them,
forget who else was doing it, maybe Dave Walker and/or Dustin Kirkland)
worked out a scheme for general usage that doesn't require extra plumbing:
* Client generates a small SSH host key locally and pushes it into
user da
seppe de Candia [giuseppe.decan...@gmail.com]
>> *Sent:* Friday, September 29, 2017 1:05 PM
>> *To:* OpenStack Development Mailing List (not for usage questions)
>> *Subject:* Re: [openstack-dev] Supporting SSH host certificates
>>
>> Ihar, thanks for pointing that out -
> *To:* OpenStack Development Mailing List (not for usage questions)
> *Subject:* Re: [openstack-dev] Supporting SSH host certificates
>
> Ihar, thanks for pointing that out - I'll definitely take a close look.
>
> Jon, I'm not very familiar with Barbican, but I did ass
https://review.openstack.org/#/c/93/
From: Giuseppe de Candia [giuseppe.decan...@gmail.com]
Sent: Friday, September 29, 2017 1:05 PM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] Supporting SSH host certificates
Hi Ihar,
I have reviewed https://review.openstack.org/#/c/456394/ (Fetch hostkey
from port) and noted that:
1) that discussion is likely to stay among the Neutron developers only
(whereas I would like a wider audience, especially including Nova
developers)
2) that proposal does not consider SSH c
Ihar, thanks for pointing that out - I'll definitely take a close look.
Jon, I'm not very familiar with Barbican, but I did assume the full
implementation would use Barbican to store private keys. However, in terms
of actually getting a private key (or SSH host cert) into a VM instance,
Barbican d
What you describe (at least the use case) seems to resemble
https://review.openstack.org/#/c/456394/ This work never moved
anywhere since the spec was posted though. You may want to revive the
discussion in scope of the spec.
Ihar
On Fri, Sep 29, 2017 at 12:21 PM, Giuseppe de Candia
wrote:
> Hi
Giuseppe ,
I'm pretty sure this is the project you want ot look into:
http://git.openstack.org/cgit/openstack/barbican/
"Barbican is a ReST API designed for the secure storage, provisioning
and management of secrets, including in OpenStack environments."
-Jon
On Fri, Sep 29, 2017 at 02:21:06P
Hi Folks,
My intent in this e-mail is to solicit advice for how to inject SSH host
certificates into VM instances, with minimal or no burden on users.
Background (skip if you're already familiar with SSH certificates): without
host certificates, when clients ssh to a host for the first time (
16 matches
Mail list logo
