From Fedora Project Wiki
(Created page with '== ELements == (1) backend store (2) commandline app (3) passwords are always encrypted (4) gpg == Interface == === Global options === * -u/--username fas username. Used for ...') |
(Add new command) |
||
| Line 1: | Line 1: | ||
== | == Elements == | ||
# central store | |||
# commandline app | |||
# passwords are always encrypted to the backend | |||
# private key encryption | |||
# audit trail | |||
== Interface == | == Interface == | ||
| Line 35: | Line 36: | ||
This retrieves the encrypted passphrase. Decrypts the passphrase once it | This retrieves the encrypted passphrase. Decrypts the passphrase once it | ||
is on the local machine. | is on the local machine using the user's private key. | ||
* Should this store in a file instead of printing to stdout? | * Should this store in a file instead of printing to stdout? | ||
| Line 41: | Line 42: | ||
=== Update the secret === | === Update the secret === | ||
<pre> | <pre> | ||
shared-secrets | shared-secrets change-secret root | ||
New | FAS passphrase: | ||
Repeat new | New secret: | ||
Repeat new secret: | |||
Shared secret for root updated successfully | |||
</pre> | </pre> | ||
Retrieve the list of users who have access for root | * Retrieve the list of users who have access for root | ||
Retrieve the gpg public keys for the users who have access for root | * Retrieve the gpg public keys for the users who have access for root | ||
Verify the gpg public key matches the key fingerprint in fas | * Verify the gpg public key matches the key fingerprint in fas | ||
Encrypt the passphrase for all of the users | * Encrypt the passphrase for all of the users | ||
Send the encrypted passphrase to the server | * Send the encrypted passphrase to the server | ||
=== Refresh the encryption on secrets === | === Refresh the encryption on secrets === | ||
{{ | {{admon/warning|Not for removing people|Use this for adding people. When removing people, change the passphrases}} | ||
<pre> | <pre> | ||
shared-secrets refresh [optional [list of people [and groups to refresh for]]] | shared-secrets refresh [optional [list of people [and groups to refresh for]]] | ||
FAS passphrase: | |||
Refreshed for: root, transifex-ssh-agent | Refreshed for: root, transifex-ssh-agent | ||
| Line 63: | Line 65: | ||
</pre> | </pre> | ||
Retrieve list of secrets | * Retrieve list of secrets | ||
If we're changing for people, retrieve group information for each group listed | * If we're changing for people, retrieve group information for each group listed in secrets | ||
in secrets | * Check people and groups against secrets | ||
Check people and groups against secrets | * For each secret where the people or groups have access to the secret, refresh the encryption on the group if you have access to the group. | ||
For each secret where the people or groups have access to the secret, refresh | * Upload the new secrets to the server. | ||
the encryption on the group if you have access to the group. | * Report which groups succeeded and which failed. | ||
Upload the new secrets to the server. | |||
Report which groups succeeded and which failed. | |||
user gets people with access on the failed groups to update | user gets people with access on the failed groups to update | ||
| Line 77: | Line 77: | ||
=== Create a new secret === | === Create a new secret === | ||
<pre> | <pre> | ||
shared-secrets | shared-secrets create-secret fedorahosted @sysadmin-main | ||
FAS passphrase: | |||
New secret: | |||
Repeat new secret: | |||
</pre> | </pre> | ||
* Retrieve list of users for the listed groups | |||
* Encrypt secret for all groups | |||
* Create the secret on the server | |||
This will not overwrite an existing secret | This will not overwrite an existing secret | ||
=== Update access to a secret === | === Update access to a secret === | ||
<pre> | <pre> | ||
shared-secrets | shared-secrets set-users fedorahosted @sysadmin-main @sysadmin-hosted | ||
FAS passphrase: | |||
GPG Password(or agent): | |||
</pre> | </pre> | ||
Changes the users who have access to this secret. Refreshes the encryption on the password. | |||
{{admon/warning|Also change-secret if removing users|If you remove a user, also change the passphrase. Just because they can't access this data anymore doesn't mean they don't remember the old passphrase or have a copy of the old data.}} | |||
Latest revision as of 18:18, 16 November 2010
Elements
- central store
- commandline app
- passwords are always encrypted to the backend
- private key encryption
- audit trail
Interface
Global options
- -u/--username fas username. Used for looking up gpg keyids and expanding groups
List the available passphrases
$ shared-secrets list root @sysadmin-main sigul-bridge @rel-eng transifex-ssh-agent @sysadmin-web,@sysadmin-main
This retrieves the list of services and the people that should have access to them. There is no encryption involved to see this.
options
- --date: show date of last passphrase modification (Note, includes refresh)
- --expandgroups: Expand groups into list of usernames. Will ask for fas password
Retrieve the secret
shared-secrets decrypt root GPG Password(or agent): iamnotapassword
This retrieves the encrypted passphrase. Decrypts the passphrase once it is on the local machine using the user's private key.
- Should this store in a file instead of printing to stdout?
Update the secret
shared-secrets change-secret root FAS passphrase: New secret: Repeat new secret: Shared secret for root updated successfully
- Retrieve the list of users who have access for root
- Retrieve the gpg public keys for the users who have access for root
- Verify the gpg public key matches the key fingerprint in fas
- Encrypt the passphrase for all of the users
- Send the encrypted passphrase to the server
Refresh the encryption on secrets
Not for removing people
Use this for adding people. When removing people, change the passphrases
Use this for adding people. When removing people, change the passphrases
shared-secrets refresh [optional [list of people [and groups to refresh for]]] FAS passphrase: Refreshed for: root, transifex-ssh-agent Error: Could not refresh for: sigul-bridge
- Retrieve list of secrets
- If we're changing for people, retrieve group information for each group listed in secrets
- Check people and groups against secrets
- For each secret where the people or groups have access to the secret, refresh the encryption on the group if you have access to the group.
- Upload the new secrets to the server.
- Report which groups succeeded and which failed.
user gets people with access on the failed groups to update
Create a new secret
shared-secrets create-secret fedorahosted @sysadmin-main FAS passphrase: New secret: Repeat new secret:
- Retrieve list of users for the listed groups
- Encrypt secret for all groups
- Create the secret on the server
This will not overwrite an existing secret
Update access to a secret
shared-secrets set-users fedorahosted @sysadmin-main @sysadmin-hosted FAS passphrase: GPG Password(or agent):
Changes the users who have access to this secret. Refreshes the encryption on the password.
Also change-secret if removing users
If you remove a user, also change the passphrase. Just because they can't access this data anymore doesn't mean they don't remember the old passphrase or have a copy of the old data.
If you remove a user, also change the passphrase. Just because they can't access this data anymore doesn't mean they don't remember the old passphrase or have a copy of the old data.