Looking for ideas: simple kerberos/gssapi authenticated key-value data store

Peter Wemm

2 min read

I have a problem that has irritated me for a while.

I have lots of FreeBSD machines and jails. In general, all the command and control is pull based. For the most part, this works fine. Except where that's mighty inconvenient.

For the sake of keeping the discussion simple, I'd like to collect things ssh host key fingerprints for publishing as dnssec-signed SSHFP records.

I do have a unique Kerberos key for each machine. I know one of my colleagues uses openldap and gssapi with this per-machine key to self-register fingerprints in his ldap database. This sort of approach would be ideal except there's no way in hell I want to put openldap-client on every machine and jail, and I have trust issues with the whole ldap thing anyway.

I have another trivial mechanism for reporting and statistics gathering with these machines but it isn't designed to resist abuse. I'd need to initialize another per-machine key for signing reports etc.

What I want is something trivial like a simple gssapi accessible key-value store with acls. Very much like kadmin/kadmind except with arbitrary data rather than user/host keys/passwords. I want something with a trivial footprint, preferably a .c file I can compile in the base system without other ports/packages.

Before I write something, can anyone think of such a thing?

Imagine this:

myhost.freebsd.org# sshfp=$(ssh-keygen -r . | sed -e 's/.*SSHFP //')
myhost.freebsd.org# kvstore -i host/$hostname -k /etc/krb5.keytab -h kv-master.freebsd.org $hostname/sshfp "$sshfp"

Then I'd have a convenient pool of data to validate, transform and publish. Obviously there needs to be an acl system so that the server only lets "host/$foo" update "$foo/*" in its store.

I'm not looking for a NSA-proof system, just something that's convenient for storing non-critical data with a trivial client-side footprint. The data would not be secret, but at the same time it's got to cross the internet backbone so it shouldn't be in the clear either.

Does anyone know of such a thing? Or have other suggestions? If so, please let me know! Any other ideas?

Update: twitter post here

Of note:

  • I don't want to generate more secrets per host, just for this. I know I can do it with TLS client certs etc, but that's another out-of-band initialization that I don't want to do.
  • I specifically don't want to bring in a stack of dependencies. I'm looking for something to compile against a naked FreeBSD base system, so that means gssapi/kerberos/openssl/cc/c++ at the most.
  • To be clear, I'm not looking for it to write to the Kerberos database, but instead leverage Kerberos/gssapi authentication to send data to a different key-value store.
  • Server-side can be more substantial, it is the client that needs to be trivial.