Overview

Password Vault 1.1 provides several enhancements over Password Vault 1.0.

New vault management commands:

• Listing all accessible service and user vaults.

• Changing vault type.

• Changing vault password.

• Changing vault keys.

New access control list:

• A container owner can create and remove sub-containers and vaults in the container, and manage the members and owners of the container, but it cannot remove the container itself.

• A container member can list sub-containers and vaults in the container.

• An escrow officer can recover secrets and reset the vault password.

Vault Management

Listing accessible vaults

A user can search the vaults that it owns or it’s a member of using the following command:

$ ipa vault-find [OPTIONS]

By default the command will list the vaults in the private container:

$ ipa vault-find
---------------
1 entries found
---------------
  Vault name: PrivateVault
  User name: testuser
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

To find all service vaults, specify –services:

$ ipa vault-find --services
---------------
1 entries found
---------------
  Vault name: test
  Service name: HTTP/server.example.com
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

To find service vaults belonging to a specific service, specify –service :

$ ipa vault-find --service HTTP/server.example.com
---------------
1 entries found
---------------
  Vault name: test
  Service name: HTTP/server.example.com
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

To find shared vaults, specify -shared:

$ ipa vault-find --shared
---------------
1 entries found
---------------
  Vault name: test
  Shared: True
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

To find all user vaults, specify –users:

$ ipa vault-find --users
---------------
1 entries found
---------------
  Vault name: test
  User name: testuser
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

To find user vaults, specify –user :

$ ipa vault-find --user testuser
---------------
1 entries found
---------------
  Vault name: test
  User name: testuser
  Type: standard
----------------------------
Number of entries returned 1
----------------------------

Changing vault type

An owner can change the vault type using the following command.

$ ipa vault-mod <name> --type <new type> [OPTIONS]

To change vault type, the old encryption parameter need to be specified:

• standard: nothing

• symmetric: password (–old-password or –old-password-file)

• asymmetric: private key (–private-key-file)

and the new encryption parameter need to be specified:

• standard: nothing

• symmetric: password (–new-password or –new-password-file)

• asymmetric: public key (–public-key-file)

If the passwords is not specified, they will be asked interactively.

To change a standard vault into an symmetric vault the new password must be specified:

$ ipa vault-show test
  Vault name: test
  Type: standard

$ ipa vault-mod test --type symmetric
New password: ********
Verify password: ********
---------------------
Modified vault "test"
---------------------
  Vault name: test
  Type: symmetric

To change a symmetric vault into an asymmetric vault the old password and the new public key must be specified:

$ ipa vault-mod test --type asymmetric --public-key-file public.pem
Password: ********
---------------------
Modified vault "test"
---------------------
  Vault name: test
  Type: asymmetric

To convert an asymmetric vault into a standard vault the old private key must be specified:

$ ipa vault-mod test --type standard --private-key-file private.pem
---------------------
Modified vault "test"
---------------------
  Vault name: test
  Type: standard

Changing vault password

An owner can change the password of a symmetric vault using the following command.

$ ipa vault-mod <name> [OPTIONS]

To change the password interactively:

$ ipa vault-mod test --change-password
Password: ********
New password: ********
Verify new password: ********
---------------------
Modified vault "test"
---------------------
  Vault name: test
  Type: symmetric

To change the password silently:

$ ipa vault-mod test --old-password-file <old password file> --new-password-file <new password file>
---------------------
Modified vault "test"
---------------------
  Vault name: test
  Type: symmetric

Changing vault keys

An owner can change the keys of an asymmetric vault using the following command.

$ ipa vault-mod <name> [OPTIONS]

For example:

$ ipa vault-mod test --private-key-file private.pem --public-key-file new-public.pem
---------------------
Modified vault "test"
---------------------

Access Control

In Vault 1.1 a service can be added as a vault owner or members.

Adding vault member

A vault owner can add members to the vault with the following command:

$ ipa vault-add-member <name> [--users <list of users>] [--groups <list of groups>] [--services <list of services>]

For example:

$ ipa vault-add-member MyVault --users testmember
---------------------------------
Added members to "MyVault " vault
---------------------------------

Removing vault member

A vault owner can remove a member from the vault with the following command:

$ ipa vault-remove-member <name> [--users <list of users>] [--groups <list of groups>] [--services <list of services>]

For example:

$ ipa vault-remove-member MyVault --users testmember
-------------------------------------
Removed members from "MyVault " vault
-------------------------------------

Adding vault owner

An owner can add another owner to the vault with the following command:

$ ipa vault-add-owner <vault ID> [--users <list of users>] [--groups <list of groups>] [--services <list of services>]

For example:

$ ipa vault-add-owner MyVault --users testowner
----------------------------------
Added owners from "MyVault " vault
----------------------------------

Removing vault owner

An owner can remove another owner from the vault with the following command:

$ ipa vault-remove-owner <name> [--users <list of users>] [--groups <list of groups>] [--services <list of services>]

For example:

$ ipa vault-remove-owner MyVault --users testowner
------------------------------------
Removed owners from "MyVault " vault
------------------------------------

Managing vault containers

Works in the same way as vault-show, vault-del, vault-add-owner and vault-remove-owner commands. Vault container contains vault. There are three types: shared, per-user, per-service. Per-user and per-service container is created with a first user/service vault.

vaultcontainer-show [--service <service>|--user <user>|--shared ]
vaultcontainer-del [--service <service>|--user <user>|--shared ]
vaultcontainer-add-owner
        [--service <service>|--user <user>|--shared ]
        [--users <users>]  [--groups <groups>] [--services <services>]
vaultcontainer-remove-owner
        [--service <service>|--user <user>|--shared ]
        [--users <users>]  [--groups <groups>] [--services <services>]

Reworked permissions

• Added new “Vault administrators” privilege. Vault administrators have unrestricted access to vaults and vault containers, including the power to add/remove owners of vaults and vault containers.

• Remove the ability of vault owners to add/remove other vault owners. If vault owner needs to be changed, vault administrator has to do it. Note that vault owners will still have the ability to add/remove vault members.

• When adding new vault container, set owner to the current user. If vault container owner needs to be changed, vault administrator has to do it.

• Allowed adding of vaults and vault containers only if the owner is set to the current user.

Status

Completed changes:

• Skip tests if KRA not available (pushed).

• Validate vault’s file parameters (pushed).

• Fixed missing KRA agent cert on replica (pushed).

• Validate mutually exclusive options in vault-add (pushed).

• Validate public key in client (pushed).

• Add CLI param and ACL for vault service operations (pushed).

• Allow overriding member param label in LDAPModMember (pushed).

• Fix param labels in output of vault owner commands (pushed).

• Fixed vault container ownership (pushed).

• Normalize service principal in service vault operations (pushed).

• Validate vault type (pushed).

• Fix vault-find with criteria (pushed).

• Add container information to vault command results (pushed).

• Add flag to list all service and user vaults (pushed).

• Add support for changing vault encryption (pushed).

• Change default vault type to symmetric (pushed).

• Fix vault tests after default type change (pushed).

• Limit size of data stored in vault (pushed).

• Using LDAPI to setup CA and KRA agents (pushed).

Test Plan

http://www.freeipa.org/page/V4/Password_Vault/Test_Plan

References

• Password Vault