[Pki-devel] Questions regarding addition of our own Cockpit module

Fraser Tweedale ftweedal at redhat.com
Thu Jun 4 02:57:49 UTC 2020 

On Wed, Jun 03, 2020 at 08:17:39PM -0400, Dinesh Prasanth Moluguwan Krishnamoorthy wrote:
> Hello team,
> 
> I’m part of Dogtag PKI open-source project [1]. Our team strives to provide
> enterprise-class open-source Public Key Infrastructure (PKI) [2].
> 
> Dogtag PKI server is a Java web application running on Tomcat. Currently,
> we have a stand-alone Java AWT client tool called pkiconsole to access PKI
> services on the server. PKI users are authenticated using client
> certificates stored in LDAP. These users only exist in LDAP, they are not
> users on the host itself.
> 
> We are trying to convert pkiconsole into a web application. We had a chance
> to look at Cockpit from a very high-level and have some questions. I’m
> reaching out to the members of the Cockpit team, before we could make a
> concrete decision on whether Cockpit is a perfect choice for us.
> 
> The questions are:
> 
> 1. According to [3] Cockpit seems to require the host to join the IdM
> domain in order to authenticate PKI users into Cockpit using client cert
> auth. Is it possible to use client cert auth without joining a domain? Will
> that require major changes in Cockpit?
> 
At a glance at the linked doc, it looks like Cockpit is using
mod_lookup_identity certmap capability or something similar for user
cert authn.  Therefore to work directly for Dogtag users I think it
is more than just configuration; something would need to be built.

> 2. Suppose the user has been authenticated into Cockpit using a client cert
> as described in #1, is it possible for Cockpit to use the same client
> certificate auth to access PKI server? Or do we need to use a different
> auth mechanism?
> 

How would this even work?  Cockpit does not have the user's private
key.

Or Cockpit would need a highly privileged agent credential and
access control around its use.  Danger!  We had quite a few CVEs in
FreeIPA because of this kind of privilege separation violation.

Or some new mechanism like a signed "endorsement" from Cockpit that
user "alice" requests to do operation X, with ACL enforcement
staying in Dogtag (where it belongs).

Anything is possible, but only some approaches are secure.  I like
the idea of Cockpit using a proxy credential.  But the only
mechanism we have for that is GSS-API/Kerberos, which takes us full
circle back to the requirement for a full-fledge IDM environment.

Cheers,
Fraser

> Regards,
> The PKI Team
> 
> [1] https://github.com/dogtagpki/pki
> 
> [2] https://www.dogtagpki.org/wiki/PKI_Main_Page
> 
> [3] https://cockpit-project.org/guide/latest/cert-authentication

> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel

More information about the Pki-devel mailing list