Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Parsec with multiple authenticators #249

Closed
hug-dev opened this issue Sep 15, 2020 · 2 comments · Fixed by #273
Closed

Parsec with multiple authenticators #249

hug-dev opened this issue Sep 15, 2020 · 2 comments · Fixed by #273
Assignees
@hug-dev
Labels
multitenancy Getting Parsec to provide isolated key stores for multiple clients based on an identity mechanism question Further information is requested security Issues related to the security and privacy of the service

Comments

@hug-dev
Copy link
Member

hug-dev commented Sep 15, 2020

With #200 and #232 we can imagine a future where we will have three possible authentication methods:

  1. Direct authentication using the parsec-cliens group to restrict access on the socket
  2. Unix Peer Credentials authentication
  3. SPIFFE/SPIRE based authentication

This raises multiple questions:

As our threat model and code assume that the deployment is secure enough for direct authentication, we can securely add more authenticators in the code base respecting the same requirements.
However, if we want to loosen those requirements when using other authenticators and remove the current restrictions for Parsec clients:

  • they have to trust each other
  • they have to be part of the parsec-clients group

The questions above will have to be answered and modifications done in the code and the documentation.
@hug-dev hug-dev added question Further information is requested security Issues related to the security and privacy of the service multitenancy Getting Parsec to provide isolated key stores for multiple clients based on an identity mechanism labels Sep 15, 2020
@hug-dev
Copy link
Member Author

hug-dev commented Sep 16, 2020

Adding a possible threat: if multiple authentication methods are concurrently allowed how to deal with two authenticators returning the same application name? Should that allow using the same keys or should we add one more layer in the key store for authenticator name?
Another level of isolation could protect the keys created with other authenticator from one with a vulnerability.

@hug-dev hug-dev mentioned this issue Sep 22, 2020
Closed
@hug-dev hug-dev mentioned this issue Oct 5, 2020
Closed
@hug-dev hug-dev self-assigned this Oct 14, 2020
@hug-dev
Copy link
Member Author

hug-dev commented Oct 14, 2020

We will only first allow one and only one authenticator at a time. There is a possible threat if an authenticator is re-configured while keys are stored in Parsec. If that happens then the same keys will be accessible with another authentication method, with different security protections. For now, we will add a WARNING notice in the configuration file to warn the admin not to re-configure the authenticator if there are existing keys.

See #271 for reference.

@hug-dev hug-dev mentioned this issue Oct 14, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hug-dev hug-dev

Labels
multitenancy Getting Parsec to provide isolated key stores for multiple clients based on an identity mechanism question Further information is requested security Issues related to the security and privacy of the service
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add authentication configuration hug-dev/parsec
1 participant
@hug-dev