[Freeipa-devel] OpenSSH with PKCS#11 for key storage
Jan Cholasta
jcholast at redhat.com
Thu Feb 20 08:35:25 UTC 2014
On 19.2.2014 23:01, Dmitri Pal wrote:
> On 02/19/2014 03:30 PM, Petr Spacek wrote:
>> On 19.2.2014 21:13, Dmitri Pal wrote:
>>> On 02/19/2014 01:49 PM, Petr Spacek wrote:
>>>> Hello list,
>>>>
>>>> I just came across this page:
>>>> http://www.gooze.eu/howto/using-openssh-with-smartcards/using-ssh-authentication-agent-ssh-add-with-smartcards
>>>>
>>>>
>>>>
>>>> If I understand correctly, it allows you to store & use your
>>>> personal SSH
>>>> keys via PKCS#11 interface.
>>>>
>>>> It sounds like a killer feature to me!
>>>>
>>>> Imagine that you can log-in to any machine in IPA realm and you will
>>>> have
>>>> all your SSH keys with you, without any extra work.
>>>>
>>>> This extends seamless SSO outside the enterprise (we have Kerberos for
>>>> inside, this doesn't change that).
>>>>
>>>> Petr^2 Spacek
>>>>
>>>> P.S. It is natively supported in OpenSSH v5.4p1 - we have PKCS#11
>>>> support in
>>>> Fedora 20 already.
>>>
>>>
>>> What are the implications for SSSD and IPA? What needs to be changed
>>> if anything?
>>
>> First of all, we need the PKCS#11 provider. We plan to write it for
>> DNSSEC and CA rotation anyway, we just need to think about different
>> use case during design phase.
>>
>> The rest should 'just work'. (As usual, nobody knows beforehand where
>> the dead dog is buried :-))
>>
> Provider? You mean SSSD exposing data as a PKCS#11 provider? I
> understand it in the case when data comes from central server and needs
> to be passed to consumers via PKCS#11 interface but in this case data
> comes from a user and actually should not come from SSSD but rather a
> real smart card inserted by user. What am I missing?
Petr suggests we store users' private keys in IPA. I don't see any
benefit in this, but it is doable with what we are planning for DNSSEC
and CA rotation.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list