[Freeipa-devel] OpenSSH with PKCS#11 for key storage
Petr Spacek
pspacek at redhat.com
Thu Feb 20 08:58:46 UTC 2014
On 20.2.2014 09:35, Jan Cholasta wrote:
> On 19.2.2014 23:01, Dmitri Pal wrote:
>> On 02/19/2014 03:30 PM, Petr Spacek wrote:
>>> On 19.2.2014 21:13, Dmitri Pal wrote:
>>>> On 02/19/2014 01:49 PM, Petr Spacek wrote:
>>>>> Hello list,
>>>>>
>>>>> I just came across this page:
>>>>> http://www.gooze.eu/howto/using-openssh-with-smartcards/using-ssh-authentication-agent-ssh-add-with-smartcards
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> If I understand correctly, it allows you to store & use your
>>>>> personal SSH
>>>>> keys via PKCS#11 interface.
>>>>>
>>>>> It sounds like a killer feature to me!
>>>>>
>>>>> Imagine that you can log-in to any machine in IPA realm and you will
>>>>> have
>>>>> all your SSH keys with you, without any extra work.
>>>>>
>>>>> This extends seamless SSO outside the enterprise (we have Kerberos for
>>>>> inside, this doesn't change that).
>>>>>
>>>>> Petr^2 Spacek
>>>>>
>>>>> P.S. It is natively supported in OpenSSH v5.4p1 - we have PKCS#11
>>>>> support in
>>>>> Fedora 20 already.
>>>>
>>>>
>>>> What are the implications for SSSD and IPA? What needs to be changed
>>>> if anything?
>>>
>>> First of all, we need the PKCS#11 provider. We plan to write it for
>>> DNSSEC and CA rotation anyway, we just need to think about different
>>> use case during design phase.
>>>
>>> The rest should 'just work'. (As usual, nobody knows beforehand where
>>> the dead dog is buried :-))
>>>
>> Provider? You mean SSSD exposing data as a PKCS#11 provider? I
>> understand it in the case when data comes from central server and needs
>> to be passed to consumers via PKCS#11 interface but in this case data
>> comes from a user and actually should not come from SSSD but rather a
>> real smart card inserted by user. What am I missing?
>
> Petr suggests we store users' private keys in IPA. I don't see any benefit in
> this, but it is doable with what we are planning for DNSSEC and CA rotation.
I have discussed this with Honza in person. He didn't consider roaming users,
i.e. users moving from one workstation to another workstation. This solves
problem with safe key distribution between machines.
Another advantage is that non-root process can't steal user's private key.
(Compare this with file-based storage. Any process running with user
privileges can read the key from ~/.ssh/.)
Of course, you can do the same thing with real smartcard but - who does that
in practice? :-)
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list