[Freeipa-users] U2F and ipa for ssh
Alexander Bokovoy
abokovoy at redhat.com
Fri Apr 21 06:49:43 UTC 2017
On pe, 21 huhti 2017, Fraser Tweedale wrote:
>On Thu, Apr 20, 2017 at 08:04:34AM -0400, Marc Boorshtein wrote:
>> Has anyone looked into using U2F with freeipa? My guess is you would need
>> a customized ssh client to interact with the device but in theory you could
>> just transform the users U2F public key into an ssh key.
>>
>> Marc Boorshtein
>> CTO, Tremolo Security, Inc.
>
>Hi Marc,
>
>We have had preliminary discussion about U2F.
>
>As you suggest, U2F requires client support. U2F does not provide a
>general signing operation (it only signs a specific kind of
>message[1]) so some server support is probably required as well.
>
>[1] https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-response-message-success
>
>That said, a lot of U2F devices have additional / alternative modes
>with PKCS #11 interfaces, e.g. PIV, allowing them to be used as
>generic crypto tokens.
I've looked at Yubikey's U2F pam module and, as with many others, it is
a module to check against a local source. We need to spend some time
doing actual design to see what can be stored centrally and how mapping
to login as other users can be done, but it would be nice to have this
integrated, yes.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list