[Freeipa-devel] OpenSSH with PKCS#11 for key storage
Dmitri Pal
dpal at redhat.com
Wed Feb 19 22:01:12 UTC 2014
On 02/19/2014 03:30 PM, Petr Spacek wrote:
> On 19.2.2014 21:13, Dmitri Pal wrote:
>> On 02/19/2014 01:49 PM, Petr Spacek wrote:
>>> Hello list,
>>>
>>> I just came across this page:
>>> http://www.gooze.eu/howto/using-openssh-with-smartcards/using-ssh-authentication-agent-ssh-add-with-smartcards
>>>
>>>
>>>
>>> If I understand correctly, it allows you to store & use your
>>> personal SSH
>>> keys via PKCS#11 interface.
>>>
>>> It sounds like a killer feature to me!
>>>
>>> Imagine that you can log-in to any machine in IPA realm and you will
>>> have
>>> all your SSH keys with you, without any extra work.
>>>
>>> This extends seamless SSO outside the enterprise (we have Kerberos for
>>> inside, this doesn't change that).
>>>
>>> Petr^2 Spacek
>>>
>>> P.S. It is natively supported in OpenSSH v5.4p1 - we have PKCS#11
>>> support in
>>> Fedora 20 already.
>>
>>
>> What are the implications for SSSD and IPA? What needs to be changed
>> if anything?
>
> First of all, we need the PKCS#11 provider. We plan to write it for
> DNSSEC and CA rotation anyway, we just need to think about different
> use case during design phase.
>
> The rest should 'just work'. (As usual, nobody knows beforehand where
> the dead dog is buried :-))
>
Provider? You mean SSSD exposing data as a PKCS#11 provider? I
understand it in the case when data comes from central server and needs
to be passed to consumers via PKCS#11 interface but in this case data
comes from a user and actually should not come from SSSD but rather a
real smart card inserted by user. What am I missing?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list