RFE: OpenSSH Support for PKCS11 Funneling to PAM for Kerberos/PKINIT

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I know OpenSSH currently supports PKCS11 devices (such as smartcards)
for publickey authentication, but I would love to see PKCS11 extended
further.  It is currently possible to perform PKCS11 certificate
authentication, via pam_krb5.so (on Linux at least and likely something
similar on other *NIX) which allows smartcard auth to a Kerberos
(including AD) server, where a TGT can also be granted.  How difficult
would it be to add functionality to OpenSSH so that it can funnel PKCS11
certs from SSH client to server and on to PAM where it could be used by
Kerberos/PKINIT?  My thought is that this is at least part way there
with the current PKCS11 support but I won't claim to be an expert
regarding the internals of what would be needed.  I would think that a
number of places using smartcards (I currently work for a gov agency
that uses smartcards) would find this approach to have additional
security and management features (given real-time validation against a
kerberos/AD server) over using publickey auth (based on PKCS11) and also
having the added benefit of granting a TGT on sign-in, enabling SSO
(GSSAPI) to additional backend servers.

What are thoughts on this functionality being added to OpenSSH?  Am I
the first to suggest such a thing?


Jim

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux