On 02/19/2014 11:01 PM, Dmitri Pal wrote: > On 02/19/2014 03:30 PM, Petr Spacek wrote: >> On 19.2.2014 21:13, Dmitri Pal wrote: >>> On 02/19/2014 01:49 PM, Petr Spacek wrote: >>>> Hello list, >>>> >>>> I just came across this page: >>>> http://www.gooze.eu/howto/using-openssh-with-smartcards/using-ssh-authentication-agent-ssh-add-with-smartcards >>>> >>>> >>>> >>>> If I understand correctly, it allows you to store & use your personal SSH >>>> keys via PKCS#11 interface. >>>> >>>> It sounds like a killer feature to me! >>>> >>>> Imagine that you can log-in to any machine in IPA realm and you will have >>>> all your SSH keys with you, without any extra work. >>>> >>>> This extends seamless SSO outside the enterprise (we have Kerberos for >>>> inside, this doesn't change that). >>>> >>>> Petr^2 Spacek >>>> >>>> P.S. It is natively supported in OpenSSH v5.4p1 - we have PKCS#11 support >>>> in >>>> Fedora 20 already. >>> >>> >>> What are the implications for SSSD and IPA? What needs to be changed if >>> anything? >> >> First of all, we need the PKCS#11 provider. We plan to write it for DNSSEC >> and CA rotation anyway, we just need to think about different use case during >> design phase. >> >> The rest should 'just work'. (As usual, nobody knows beforehand where the >> dead dog is buried :-)) >> > Provider? You mean SSSD exposing data as a PKCS#11 provider? I understand it > in > the case when data comes from central server and needs to be passed to > consumers via PKCS#11 interface but in this case data comes from a user and > actually should not come from SSSD but rather a real smart card inserted by > user. What am I missing?
I am also not following. We already have a support for storing public SSH keys for users which is then fed to sshd via sss_ssh_authorizedkeys. What you described seems rather as a different means of giving my SSH private keys to ssh client - they do not live in ~/.ssh/ but rather on a Smart Card. So IIUC, this should work out of the box with FreeIPA. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel