Zeroising of keys in credentialz proto
Below requests have a way to zeroize keys:
- AuthorizedKeysRequest : Explicitly states "If zero SSH keys are specified, currently configured SSH keys for the user will be cleared from configuration."
- AuthorizedUsersRequest : Explicitly states "If no authorized principals are specified, currently configured authorized principals for the user will be cleared from configuration.”
The following request types lack equivalent zero-key clearing semantics:
- GenerateKeysRequest
- CaPublicKeyRequest.ssh_ca_public_keys
- ServerKeysRequest.auth_artifacts
- PasswordRequest.accounts
PasswordRequest.accounts
The password management through PasswordRequest updates password with gNSI having the highest precedence , but the specification provides no mechanism for account deletion or password removal.
Once a password is set via gNSI, it cannot be deleted through gNSI operations
GNMI and traditional configuration methods or vendor config cannot override or remove gNSI-managed passwords due to precedence rules
No equivalent to the "zero" clearing mechanism exists for password accounts via GNSI. If we zeroize password for given account should the user be deleted. How is user management done, is it via gnsi or gnmi . Since proto says password request it to manage only password for user which already exists.
Zeroising of keys in credentialz proto
Below requests have a way to zeroize keys:
The following request types lack equivalent zero-key clearing semantics:
PasswordRequest.accounts
The password management through PasswordRequest updates password with gNSI having the highest precedence , but the specification provides no mechanism for account deletion or password removal.
Once a password is set via gNSI, it cannot be deleted through gNSI operations
GNMI and traditional configuration methods or vendor config cannot override or remove gNSI-managed passwords due to precedence rules
No equivalent to the "zero" clearing mechanism exists for password accounts via GNSI. If we zeroize password for given account should the user be deleted. How is user management done, is it via gnsi or gnmi . Since proto says password request it to manage only password for user which already exists.