Mark McLoughlin wrote:
Note that libvirtd _doesn't_ quite support this sort of access because it doesn't support wildcards in the commonNames in the client certificates, but that would be a useful and simple addition.I don't grok this ... why would you want a wildcard in the subjectName of a client certificate? Or do you mean allowing wildcards in the access control list of client subjectNames?
At the moment: The server reliably knows only the IP address of the client.It is given a certificate by the client, which it checks for validity against the CA. It also checks the subjectAltName.iPAddress or commonName field is the IP address (just using strcmp).
It may also check that the client's IP address is on a whitelist contained in the server configuration file, although by default this check is switched off.
So you can set up a CA and issue certificates to your clients to control access, but the certificates must contain the right IP address for the client (the client cannot be mobile in other words).
This weekend I was coincidentally looking at how client certification works in browsers, and there authentication is based on all fields in the Distinguished Name. So you can use any CA, and an access control list of clients held on the server. See for example:
http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particularI'm not sure what is better and I don't plan on implementing this right away. I think we need to talk to some real world users.
Rich. -- Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/ Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 03798903
Description: S/MIME Cryptographic Signature