On 02/19/2014 11:01 PM, Dmitri Pal wrote:
> On 02/19/2014 03:30 PM, Petr Spacek wrote:
>> On 19.2.2014 21:13, Dmitri Pal wrote:
>>> On 02/19/2014 01:49 PM, Petr Spacek wrote:
>>>> Hello list,
>>>> I just came across this page:
>>>> http://www.gooze.eu/howto/using-openssh-with-smartcards/using-ssh-authentication-agent-ssh-add-with-smartcards
>>>> If I understand correctly, it allows you to store & use your personal SSH
>>>> keys via PKCS#11 interface.
>>>> It sounds like a killer feature to me!
>>>> Imagine that you can log-in to any machine in IPA realm and you will have
>>>> all your SSH keys with you, without any extra work.
>>>> This extends seamless SSO outside the enterprise (we have Kerberos for
>>>> inside, this doesn't change that).
>>>> Petr^2 Spacek
>>>> P.S. It is natively supported in OpenSSH v5.4p1 - we have PKCS#11 support 
>>>> in
>>>> Fedora 20 already.
>>> What are the implications for SSSD and IPA? What needs to be changed if
>>> anything?
>> First of all, we need the PKCS#11 provider. We plan to write it for DNSSEC
>> and CA rotation anyway, we just need to think about different use case during
>> design phase.
>> The rest should 'just work'. (As usual, nobody knows beforehand where the
>> dead dog is buried :-))
> Provider? You mean SSSD exposing data as a PKCS#11 provider? I understand it 
> in
> the case when data comes from central server and needs to be passed to
> consumers via PKCS#11 interface but in this case data comes from a user and
> actually should not come from SSSD but rather a real smart card inserted by
> user. What am I missing?

I am also not following. We already have a support for storing public SSH keys
for users which is then fed to sshd via sss_ssh_authorizedkeys. What you
described seems rather as a different means of giving my SSH private keys to
ssh client - they do not live in ~/.ssh/ but rather on a Smart Card. So IIUC,
this should work out of the box with FreeIPA.


Freeipa-devel mailing list

Reply via email to