On Wed, 06 Sep 2017, Kevin Fenzi wrote:
On 09/06/2017 10:05 AM, Simo Sorce wrote:
On Wed, 2017-09-06 at 09:51 -0700, Kevin Fenzi wrote:
So, they are all tied together via ipsilon (except ssh keys, and wiki
login).
Once we have a concrete plan for ssh we will be happy to share it.
Would you consider allowing SSH+GSSAPI as well ?
This way I do not need to care for keys ...
Thats a possiblity. I think there was some reason we didn't like that
path, but Patrick would be the one to ask.
I'm not on a receiving end of Fedora Infra team but as someone who was
involved in Kerberos deployment discussions, including development of
FreeIPA features that Fedora Infra uses, I can add few details.
One concern we had in discussions is that we are still allowing plain
Kerberos authentication (port 88). This means, in the absence of working
SPAKE exchange, there is still a potential for hijacking the initial
ticket issuance. We closed this down with the introduction of MS-KKDCP
compatible Kerberos proxy that is effectively an HTTPS-enforced
tunnelling on newer Fedora and RHEL 7.x versions. However, to enable
Kerberos for SSH logins it would be good to make sure we always use
secure method. SPAKE exchange in Kerberos would give that to us even for
plain Kerberos.
Another part of a story is that with FreeIPA 4.5 we have now PKINIT
support as well. E.g. one can associate a certificate with a user and
obtain Kerberos tickets based on the use of a smartcard. This is not
something Fedora Infra people are keen to use right now, primarily due
to management issues that certificate handling involved in past, but
this option is here.
Doing PKINIT in Kerberos enables another possibility: authentication
indicators can be associated with particular Fedora hosts to enforce
login with Kerberos to them only if your Kerberos ticket was obtained
using a stronger authentication method, like smartcards or one time
tokens (2FA). For 2FA-based setup we needed so-called Anonymous PKINIT
feature to enable a smooth way to get 2FA-based Kerberos tickets for
users on non-enrolled machines (all Fedora contributors because our
laptops/home machines aren't enrolled into FreeIPA realm of
FEDORAPROJECT.ORG).
These options are available now but we haven't discussed their use in
Fedora Infra context since deploying Kerberos. They also involve a
change at user's side, at least workflow-wise, to obtain a stronger
authenticate Kerberos tickets (although, with Anonymous PKINIT, it is
just one more kinit before the actual one). The latter can be seen as an
obstacle to more users than one could expect.
--
/ Alexander Bokovoy
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
