On 10/01/2019 19:55, Corey Minyard wrote:
On 1/10/19 11:00 AM, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On
Behalf Of Jordan Brown
Sent: Thursday, January 10, 2019 11:15
On 1/9/2019 6:54 PM, Corey Minyard wrote:
2. Set the userid in the certificate and use client authentication to
authenticate the user logging in. Set the username in the CN field
of the certificate so it can't be changed, extract that and set the
CA before verification. This is what I'm currently trying to do,
and I keep running into roadblocks.
Why do you think you need to set the CA?
Agreed. That's an odd requirement.
Thanks for the responses.
It is unusual, perhaps, but I'm trying to implement something like ssh
does. I can't expect users of ser2net to obtain certificates from a
real certificate authority, that's too high a barrier for entry. I
want them to be able to generate a key pair, put the public key on the
server in their account, and authenticate against that.
It's a balance of getting reasonable security that people will
actually use.
A simpler solution is to report "Any client CA accepted", then
compare the returned certificate fingerprint (strong hash of
DER-encoded end cert) against a user database, listing the
user name for each cert.
Validation then only checks if the certificate is revoked or
technically invalid (expired, claims to be signed by a CA
that didn't, syntactically invalid, wrong Extended-Key-Usage
etc.). But signed by a completely unknown CA, or self-signed
is A-OK as long as the end cert is listed as belonging to that
user (similar to an SSH public key).
By the way, I do think ssh can be made to work by handing the
SSH library the actual serial port handles once the user has
been authenticated. Some SSH libraries may even be able to
do things like BREAK via standard SSH mechanisms.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
