-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
admin user should be able to change their password. #34
Comments
The best part is no part.... Could we do away with the password entirely? We have a spire server. We could use a jwt issued by spire for special admin access? |
Thanks a lot @kfox1111, that's an intriguing idea.
SPIKE Nexus, a SPIFFE-enabled secrets store, relies on the SPIRE server for issuing identities (SVIDs) to workloads. The SPIKE Pilot binary already uses x509 SVIDs to identify itself, leveraging SPIFFE's robust service-to-service authentication capabilities. However, human identity verification poses unique challenges. While workloads seamlessly integrate with SPIFFE’s identity model, humans require additional considerations for secure and practical authentication. Here are some challenges: Human Identity Verification
Password as a Dual-Purpose Mechanism Admin passwords currently serve two critical purposes:
There are two things here, that makes the problem hairy:
-- I do believe that the ideal system ("the best part is no part") minimizes complexity; and until we get there, we still can balance usability, security, and feasibility: We can:
For example; As a primary authentication mechanism
On top of that we can:
And as a cherry on the top, we can:
And in addition to all those, we can enable MFA by combining:
-- But before we get there, it'd be good to have an admin password that conventional users can use in their dull conventional worlds :) It's easier to trust machines than humans. |
@jbeda had some ideas about this too by the way; if we can securely deliver SVIDs to humans; things would be easier. What I have in mind is to use DNS TXT records for proof of self and SPIFFE ID issuance. Or using an HSM/TPM was something else that was on my mind. QRCodes was somethig I thought. Another tangent I pondered whas whether an authority can actually issue SPIFFEID for people in SANs of certs (i.e.: But I'm wildly guessing, speculating, and thinking out loud at the moment. |
Anohter idea:
Problem: how do you securely deliver the OTP? -- spiffe over Blockchain: I feel it will cause more problems than it solves. -- using NFC/RFID chips that has unique spiffeids. -- that would require convincing people to use hardware. -- another option operating systems (or browsers) natively supporting spiffeids. I mean, since I log in to my OS, my OS knows me, after some biometric attestation (fingerprint, retina scan etc) I can be issued an SVID that I can use wherever I want. If any of you folks know anyone in cupertinoe that might be interested in this, we could initiate a discussion :) . |
Yes, but sort of.... In a pinch, a spire-agent with unix attestor can identify individual users. This may just be enough for admin identification for initial bootstrapping/recovery purposes.
Ah. I see. This does conflate the two though and probably shouldnt? I can see the need for Key Recovery. But, should this be the same string (password) used for an admin user? I'm thinking not. I also think maybe there is a third thing being conflated here.... Lets take linux as an example. You may have multiple admins involved. You have root, the traditional admin, which is its own account, and hopefully is not used for anything except fixing something horribly broken. And then you have other admins, such as 'kfox', that can do things and occasionally sudo run something. For admins, SPIKE is going to need:
👍
We do need a solution to recovery. Just not sure passwords are the best way to do it. Especially passwords (plural)
A token isn't useful without someone vetting it.... Say I buy a YubiKey from Amazon. It is in no way associated with me until someone trusted creates that association. My org though, signed me up with their OIDC instance, checking my identity (drivers license, bills, passport, etc), and that on the YubiKey, and then associated Me, and the YubiKey with my identity in their own server. Now that server will vouch for me if I use that YubiKey. IMO, SPIKE shouldn't be in that business. Its complicated to get right, and duplicates code/process other projects/orgs are doing. OIDC allows that to be completely outsourced and its up to the auth provider to do that, and we just trust the OIDC provider. As the SPIKE deployer, which OIDC servers to trust is the main concern I think?
A lot of OIDC providers will already deal with the MFA bits themselves. Probably do not have to do anything specific there, keeping things simple. Admins can determine what level of trust there, by choosing which OIDC implementations(servers) they delegate to.
Thats the problem with passwords. Your trusting a human, with limited memory, with a string a machine cares about and hope it stays secure. Thats proven hard. :/ I'm still thinking rather then a human with a password, we can find a way to have a small quorum of machines with independent secret material can reform the decryption keys. Then there need not be a human in the loop there at all. A recovery pw in the very short term until that system is designed is ok, but should be killed as soon as it can be I think. And until that day, we need to figure out how to minimize that password to just the absolute bare minimal places it must be used to prevent it leaking out. |
In our case assuming we have N keepers, unless N keepers fail simultaneously, the root key (and any other key) can "in theory" be recovered. So I geolocate (say) 6 keepers in 3 availability zones. Then I should be extremely unlucky to lose them all. --> that would sort out "do we need something to encrypt the root key?" problem. -- short answer: No, as long as we have enough keepers alive (that may also establish a quorum) we don't need any human to encrypt (or even know , or care about) the rooot key.
Agreed.
Agreed too. I just scanned the rest of the message; will read it again and respond accordingly. Also, if the trust boundary at the machine level, then we don't need separate passwords at all:
And since [1] solves the need to encrypt the root key, we won't need passwords ever. My reasoning is:
So we can still use a good old password, if it keeps people happy; but even with the password, if Chuk Norris has not set up the machine properly, Jane Doe won't be able to get/set any secrets. So Jane's password reduces to just a random string to identify herself for auditing purposes, and nothing else. If Jane gives her passowrd to Jack; then Jack will still have to log in to the machine. So Jack will have to pass Chuck Norris before he can even use SPIKE. |
Key @kfox1111 I had a chance to think about this a bit. Here are my comments:
That's a good idea. The admin user should already have an SVID for "their" user anyway. For example the following entry identifies the user:
So the fact that the user can use the SPIKE Pilot (the So I think, we should be EXPLICIT in stating that the password is for KEY RECOVERY ONLY. And the admin could opt out if they want to (because it's not the only way to recover a key: For example, I can provide SPIKE my public key and ask it to encrypt the root key for me instead later; OR I can provide a password later with a
Possible :)
^ that needs to be a user story on its own. We can start experimenting with keycloak and see how it goes from there. An OIDC is an OIDC is an OIDC anyway -- how different can they be :)
I think We can have a SPIFFE ID like So. If hell broke lose, I'll assign myself a superadmin SVID; fix stuff, and then unregister that SVID. For named admins, we'd need OIDC, which can wait for a while. For now, one superadmin is good enough.
Yes, and I agree that it's not worth introducing to complexity, unless either of us want to found a TPM/human-id startup (which is not a bad idea ideed :))
LOL, but agreed. -- So in short, the above approach I think...
-- I'll think about it a bit more and create necessary user stories. |
We'll ask for the old password for security.
The text was updated successfully, but these errors were encountered: