On pe, 21 huhti 2017, Fraser Tweedale wrote:
On Thu, Apr 20, 2017 at 08:04:34AM -0400, Marc Boorshtein wrote:
Has anyone looked into using U2F with freeipa?  My guess is you would need
a customized ssh client to interact with the device but in theory you could
just transform the users U2F public key into an ssh key.

Marc Boorshtein
CTO, Tremolo Security, Inc.

Hi Marc,

We have had preliminary discussion about U2F.

As you suggest, U2F requires client support.  U2F does not provide a
general signing operation (it only signs a specific kind of
message[1]) so some server support is probably required as well.

[1] 
https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-response-message-success

That said, a lot of U2F devices have additional / alternative modes
with PKCS #11 interfaces, e.g. PIV, allowing them to be used as
generic crypto tokens.
I've looked at Yubikey's U2F pam module and, as with many others, it is
a module to check against a local source. We need to spend some time
doing actual design to see what can be stored centrally and how mapping
to login as other users can be done, but it would be nice to have this
integrated, yes.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to