[Freeipa-devel] OpenSSH with PKCS#11 for key storage
Martin Kosek
mkosek at redhat.com
Thu Feb 20 08:27:43 UTC 2014
On 02/19/2014 11:01 PM, Dmitri Pal wrote:
> On 02/19/2014 03:30 PM, Petr Spacek wrote:
>> On 19.2.2014 21:13, Dmitri Pal wrote:
>>> On 02/19/2014 01:49 PM, Petr Spacek wrote:
>>>> Hello list,
>>>>
>>>> I just came across this page:
>>>> http://www.gooze.eu/howto/using-openssh-with-smartcards/using-ssh-authentication-agent-ssh-add-with-smartcards
>>>>
>>>>
>>>>
>>>> If I understand correctly, it allows you to store & use your personal SSH
>>>> keys via PKCS#11 interface.
>>>>
>>>> It sounds like a killer feature to me!
>>>>
>>>> Imagine that you can log-in to any machine in IPA realm and you will have
>>>> all your SSH keys with you, without any extra work.
>>>>
>>>> This extends seamless SSO outside the enterprise (we have Kerberos for
>>>> inside, this doesn't change that).
>>>>
>>>> Petr^2 Spacek
>>>>
>>>> P.S. It is natively supported in OpenSSH v5.4p1 - we have PKCS#11 support in
>>>> Fedora 20 already.
>>>
>>>
>>> What are the implications for SSSD and IPA? What needs to be changed if
>>> anything?
>>
>> First of all, we need the PKCS#11 provider. We plan to write it for DNSSEC
>> and CA rotation anyway, we just need to think about different use case during
>> design phase.
>>
>> The rest should 'just work'. (As usual, nobody knows beforehand where the
>> dead dog is buried :-))
>>
> Provider? You mean SSSD exposing data as a PKCS#11 provider? I understand it in
> the case when data comes from central server and needs to be passed to
> consumers via PKCS#11 interface but in this case data comes from a user and
> actually should not come from SSSD but rather a real smart card inserted by
> user. What am I missing?
I am also not following. We already have a support for storing public SSH keys
for users which is then fed to sshd via sss_ssh_authorizedkeys. What you
described seems rather as a different means of giving my SSH private keys to
ssh client - they do not live in ~/.ssh/ but rather on a Smart Card. So IIUC,
this should work out of the box with FreeIPA.
Martin
More information about the Freeipa-devel
mailing list