On 10/13/2011 04:05 AM, Gerhardus Geldenhuis wrote:
The second part of the question is how would this
work with regards to ssh authentication. Somehow via
pam and ssh the certificate must be passed on to 389
when the authentication happens. I am not sure this is
currently possible with pam but would be interested in
any suggestions to achieve something like this.
pam_pkcs11? Note that ssh public keys are not the same as
the public key part of an x509 certificate - you cannot mix
and match them afaik. What exactly are you trying to do?
Do ssh/pam authentication and have ssh retrieve the public
key from LDAP?
Hi Rich,
I will try to get my ducks in a row and explain what I am
trying to do:
When you start at my employer you are issued a certificate
from ejbca which I assume is similar in functionality to
dogtag. This certificate is then downloaded once, and is your
key to all things web based. Thus web servers have been
modified to certificate based authentication which makes
accessing anything very easy since you never have to type your
password when accessing jira or confluence or any other web
based service.
The certificates issued to people have quite aggressive
settings with regards to expiry dates and access can thus be
more tightly controlled even if someone forgets to execute a
"leavers" process. I want to make use of this strong control
when authenticating users on Linux boxes.
The following extract from ssh man pages caught my
interest:
man ssh
A variation on public key authentication is available in
the form of certificate authentication: instead of a set of
public/private keys, signed certificates are used. This has
the advantage that a single trusted certification authority
can be used in place of many public/private keys. See the
CERTIFICATES section of ssh-keygen(1) for more information.
man ssh-keygen
It is possible to sign using a CA key stored in a PKCS#11
token by providing the token library using -D and identifying
the CA key by providing its public half as an argument to -s:
So after reading these man pages and reading about
certificate based authentication in 389 I thought maybe 1+1=3
(aka might get more for my money/effort)
The ideas is thus that when I create my keypair in ssh I can
sign them with my certificate ( might not be possible, might
need CA to do that... ) this keypair is passed on when I do the
authentication and is in turn passed on to 389 where it will
deny/allow my access. This is very simplified and I can poke a
million holes through the idea currently but that is what I am
trying to do.
It looks as though you either need the CA cert/key to pass to
ssh-keygen in order to generate an ssh cert with public key, signed
by the CA, or you need to have the CA itself generate signed ssh
certs. The man page says that ssh certs are "simplified" versions
of X509 certs - not sure exactly what that means, but I read that as
"the cert issued to you by ejbca cannot be used for ssh
authentication".
If I can have ssh/pam authentication and have ssh retrieve
public key from LDAP that might be a consolatory price.
That is possible, but I don't think that's really what you are
trying to do. It really sounds like what you want to do is:
1) generate an ssh compatible cert (or pub/priv key pair) using your
existing cert that is issued by ejbca - that may be possible, but
you'll need to have the ssh cert signed by the ejbca - could be
difficult
or
2) use your regular x509 cert for ssh authentication - it doesn't
look as though ssh supports this although it's not clear from the
man page - would be a very good feature for ssh though
Hope this clarifies what I am trying to do. I might have a
few concepts still muddled together in my head...
Best Regards
--
Gerhardus Geldenhuis
|
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
