[Freeipa-devel] Short-lived VPN certificates

Fraser Tweedale ftweedal at redhat.com
Mon Apr 4 02:47:47 UTC 2016 

On Tue, Mar 29, 2016 at 12:47:04PM +0200, Lubomir Rintel wrote:
> Hi,
> 
> I'm part of the Red Hat's NetworkManager crowd. We're aware that you've
> made some effort on making it easy to get a short-lived certificate for
> use with VPN (and EAP-TLS) [1].
> 
> [1] http://www.freeipa.org/page/User_certificate_use_cases#VPN_certificates
> 
> We're interested in this. I'm wondering if you could share you plans,
> what is the present functionality and at which point could we get
> involved to get this supported in NetworkManager?
> 
> Thanks,
> Lubo
>
Hi Lubo, thanks for getting in touch.

Cc Alexander who knows a lot more about the desktop integration
experience than me :)

The bits for issuing short-lived user certs (custom profiles) are
available in FreeIPA 4.2 / RHEL 7.2.  A further desirable
enhacement, the ability to issue these certs from a dedicated
sub-CA, is what I am currently working on.

The general outline of acquiring a short-lived cert for VPN
authentication is similar to the GSS-API authentication story (e.g.
see the blog post[1] about OpenConnect).

[1] https://securityblog.redhat.com/2015/06/17/single-sign-on-with-openconnect-vpn-server-over-freeipa/

In brief:

1. User acquires Kerberos TGT via MS-KKDCP (Kerberos over public
   HTTP proxy)
2. User uses Kerberos ticket to acquire short-lived certificate via
   `ipa cert-request' command, selecting the appropriate profile for
   VPN authentication.
3. Certificate is used for VPN authentication.

So the start of the process is the same as the GSS-API use case, but
after acquiring the TGT it is used to get a cert for VPN auth
instead of a service ticket for same purpose.  Since Kerberos is a
necessary part of the exchange I do not think that certificate
authentication in this scenario gives any advantage over GSS-API
(but it is more work and more complex, for sure!)  Am I correct in
believing that NetworkManager already has support for GSS-API VPN
authentication with TGT acquired over MS-KKDCP?

The other (more important IMO) VPN certificate authentication
scenario is smart card authentiction, where a (longer-lived)
certificate on a smart card is used to authenticate to a VPN.  Does
NetworkManager support this already?

Cheers,
Fraser

More information about the Freeipa-devel mailing list