On 10/13/2011 04:05 AM, Gerhardus Geldenhuis wrote:
On Wed, Oct 12, 2011 at 8:53 PM, Rich Megginson <rmegg...@redhat.com
<mailto:rmegg...@redhat.com>> wrote:
The second part of the question is how would this work with
regards to ssh authentication. Somehow via pam and ssh the
certificate must be passed on to 389 when the authentication
happens. I am not sure this is currently possible with pam but
would be interested in any suggestions to achieve something like
this.
pam_pkcs11? Note that ssh public keys are not the same as the
public key part of an x509 certificate - you cannot mix and match
them afaik. What exactly are you trying to do? Do ssh/pam
authentication and have ssh retrieve the public key from LDAP?
Hi Rich,
I will try to get my ducks in a row and explain what I am trying to do:
When you start at my employer you are issued a certificate from ejbca
which I assume is similar in functionality to dogtag. This certificate
is then downloaded once, and is your key to all things web based. Thus
web servers have been modified to certificate based authentication
which makes accessing anything very easy since you never have to type
your password when accessing jira or confluence or any other web based
service.
The certificates issued to people have quite aggressive settings with
regards to expiry dates and access can thus be more tightly controlled
even if someone forgets to execute a "leavers" process. I want to make
use of this strong control when authenticating users on Linux boxes.
The following extract from ssh man pages caught my interest:
man ssh
A variation on public key authentication is available in the form of
certificate authentication: instead of a set of public/private keys,
signed certificates are used. This has the advantage that a single
trusted certification authority can be used in place of many
public/private keys. See the CERTIFICATES section of ssh-keygen(1)
for more information.
man ssh-keygen
It is possible to sign using a CA key stored in a PKCS#11 token by
providing the token library using -D and identifying the CA key by
providing its public half as an argument to -s:
So after reading these man pages and reading about certificate based
authentication in 389 I thought maybe 1+1=3 (aka might get more for my
money/effort)
The ideas is thus that when I create my keypair in ssh I can sign them
with my certificate ( might not be possible, might need CA to do
that... ) this keypair is passed on when I do the authentication and
is in turn passed on to 389 where it will deny/allow my access. This
is very simplified and I can poke a million holes through the idea
currently but that is what I am trying to do.
It looks as though you either need the CA cert/key to pass to ssh-keygen
in order to generate an ssh cert with public key, signed by the CA, or
you need to have the CA itself generate signed ssh certs. The man page
says that ssh certs are "simplified" versions of X509 certs - not sure
exactly what that means, but I read that as "the cert issued to you by
ejbca cannot be used for ssh authentication".
If I can have ssh/pam authentication and have ssh retrieve public key
from LDAP that might be a consolatory price.
That is possible, but I don't think that's really what you are trying to
do. It really sounds like what you want to do is:
1) generate an ssh compatible cert (or pub/priv key pair) using your
existing cert that is issued by ejbca - that may be possible, but you'll
need to have the ssh cert signed by the ejbca - could be difficult
or
2) use your regular x509 cert for ssh authentication - it doesn't look
as though ssh supports this although it's not clear from the man page -
would be a very good feature for ssh though
Hope this clarifies what I am trying to do. I might have a few
concepts still muddled together in my head...
Best Regards
--
Gerhardus Geldenhuis
--
389 users mailing list
389-us...@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
