Re: [Freeipa-devel] OpenSSH with PKCS#11 for key storage

Thu, 20 Feb 2014 00:59:27 -0800 

On 20.2.2014 09:35, Jan Cholasta wrote:

On 19.2.2014 23:01, Dmitri Pal wrote:

On 02/19/2014 03:30 PM, Petr Spacek wrote:

On 19.2.2014 21:13, Dmitri Pal wrote:

On 02/19/2014 01:49 PM, Petr Spacek wrote:

Hello list,

I just came across this page:
http://www.gooze.eu/howto/using-openssh-with-smartcards/using-ssh-authentication-agent-ssh-add-with-smartcards




If I understand correctly, it allows you to store & use your
personal SSH
keys via PKCS#11 interface.

It sounds like a killer feature to me!

Imagine that you can log-in to any machine in IPA realm and you will
have
all your SSH keys with you, without any extra work.

This extends seamless SSO outside the enterprise (we have Kerberos for
inside, this doesn't change that).

Petr^2 Spacek

P.S. It is natively supported in OpenSSH v5.4p1 - we have PKCS#11
support in
Fedora 20 already.



What are the implications for SSSD and IPA? What needs to be changed
if anything?


First of all, we need the PKCS#11 provider. We plan to write it for
DNSSEC and CA rotation anyway, we just need to think about different
use case during design phase.

The rest should 'just work'. (As usual, nobody knows beforehand where
the dead dog is buried :-))


Provider? You mean SSSD exposing data as a PKCS#11 provider? I
understand it in the case when data comes from central server and needs
to be passed to consumers via PKCS#11 interface but in this case data
comes from a user and actually should not come from SSSD but rather a
real smart card inserted by user. What am I missing?


Petr suggests we store users' private keys in IPA. I don't see any benefit in
this, but it is doable with what we are planning for DNSSEC and CA rotation.
I have discussed this with Honza in person. He didn't consider roaming users, i.e. users moving from one workstation to another workstation. This solves problem with safe key distribution between machines.
Another advantage is that non-root process can't steal user's private key. (Compare this with file-based storage. Any process running with user privileges can read the key from ~/.ssh/.)
Of course, you can do the same thing with real smartcard but - who does that in practice? :-) 

--
Petr^2 Spacek

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to