[Freeipa-devel] OpenSSH with PKCS#11 for key storage
Petr Spacek
pspacek at redhat.com
Wed Feb 19 20:30:12 UTC 2014
On 19.2.2014 21:13, Dmitri Pal wrote:
> On 02/19/2014 01:49 PM, Petr Spacek wrote:
>> Hello list,
>>
>> I just came across this page:
>> http://www.gooze.eu/howto/using-openssh-with-smartcards/using-ssh-authentication-agent-ssh-add-with-smartcards
>>
>>
>> If I understand correctly, it allows you to store & use your personal SSH
>> keys via PKCS#11 interface.
>>
>> It sounds like a killer feature to me!
>>
>> Imagine that you can log-in to any machine in IPA realm and you will have
>> all your SSH keys with you, without any extra work.
>>
>> This extends seamless SSO outside the enterprise (we have Kerberos for
>> inside, this doesn't change that).
>>
>> Petr^2 Spacek
>>
>> P.S. It is natively supported in OpenSSH v5.4p1 - we have PKCS#11 support in
>> Fedora 20 already.
>
>
> What are the implications for SSSD and IPA? What needs to be changed if anything?
First of all, we need the PKCS#11 provider. We plan to write it for DNSSEC and
CA rotation anyway, we just need to think about different use case during
design phase.
The rest should 'just work'. (As usual, nobody knows beforehand where the dead
dog is buried :-))
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list