[Libvir] [PATCH] Remote 3/8: Client-side
Richard W.M. Jones
rjones at redhat.com
Mon May 14 09:01:33 UTC 2007
Mark McLoughlin wrote:
>> Note that libvirtd _doesn't_ quite support this sort of access because
>> it doesn't support wildcards in the commonNames in the client
>> certificates, but that would be a useful and simple addition.
>
> I don't grok this ... why would you want a wildcard in the subjectName
> of a client certificate?
>
> Or do you mean allowing wildcards in the access control list of client
> subjectNames?
At the moment: The server reliably knows only the IP address of the client.
It is given a certificate by the client, which it checks for validity
against the CA. It also checks the subjectAltName.iPAddress or
commonName field is the IP address (just using strcmp).
It may also check that the client's IP address is on a whitelist
contained in the server configuration file, although by default this
check is switched off.
So you can set up a CA and issue certificates to your clients to control
access, but the certificates must contain the right IP address for the
client (the client cannot be mobile in other words).
This weekend I was coincidentally looking at how client certification
works in browsers, and there authentication is based on all fields in
the Distinguished Name. So you can use any CA, and an access control
list of clients held on the server. See for example:
http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particular
I'm not sure what is better and I don't plan on implementing this right
away. I think we need to talk to some real world users.
Rich.
--
Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in
England and Wales under Company Registration No. 03798903
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20070514/ca7728ef/attachment-0001.bin>
More information about the libvir-list
mailing list