[Pki-devel] Questions regarding addition of our own Cockpit module
Fraser Tweedale
ftweedal at redhat.com
Thu Jun 4 02:57:49 UTC 2020
On Wed, Jun 03, 2020 at 08:17:39PM -0400, Dinesh Prasanth Moluguwan Krishnamoorthy wrote:
> Hello team,
>
> I’m part of Dogtag PKI open-source project [1]. Our team strives to provide
> enterprise-class open-source Public Key Infrastructure (PKI) [2].
>
> Dogtag PKI server is a Java web application running on Tomcat. Currently,
> we have a stand-alone Java AWT client tool called pkiconsole to access PKI
> services on the server. PKI users are authenticated using client
> certificates stored in LDAP. These users only exist in LDAP, they are not
> users on the host itself.
>
> We are trying to convert pkiconsole into a web application. We had a chance
> to look at Cockpit from a very high-level and have some questions. I’m
> reaching out to the members of the Cockpit team, before we could make a
> concrete decision on whether Cockpit is a perfect choice for us.
>
> The questions are:
>
> 1. According to [3] Cockpit seems to require the host to join the IdM
> domain in order to authenticate PKI users into Cockpit using client cert
> auth. Is it possible to use client cert auth without joining a domain? Will
> that require major changes in Cockpit?
>
At a glance at the linked doc, it looks like Cockpit is using
mod_lookup_identity certmap capability or something similar for user
cert authn. Therefore to work directly for Dogtag users I think it
is more than just configuration; something would need to be built.
> 2. Suppose the user has been authenticated into Cockpit using a client cert
> as described in #1, is it possible for Cockpit to use the same client
> certificate auth to access PKI server? Or do we need to use a different
> auth mechanism?
>
How would this even work? Cockpit does not have the user's private
key.
Or Cockpit would need a highly privileged agent credential and
access control around its use. Danger! We had quite a few CVEs in
FreeIPA because of this kind of privilege separation violation.
Or some new mechanism like a signed "endorsement" from Cockpit that
user "alice" requests to do operation X, with ACL enforcement
staying in Dogtag (where it belongs).
Anything is possible, but only some approaches are secure. I like
the idea of Cockpit using a proxy credential. But the only
mechanism we have for that is GSS-API/Kerberos, which takes us full
circle back to the requirement for a full-fledge IDM environment.
Cheers,
Fraser
> Regards,
> The PKI Team
>
> [1] https://github.com/dogtagpki/pki
>
> [2] https://www.dogtagpki.org/wiki/PKI_Main_Page
>
> [3] https://cockpit-project.org/guide/latest/cert-authentication
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list