On Wed, Jun 03, 2020 at 08:17:39PM -0400, Dinesh Prasanth Moluguwan Krishnamoorthy wrote: > Hello team, > > I’m part of Dogtag PKI open-source project [1]. Our team strives to provide > enterprise-class open-source Public Key Infrastructure (PKI) [2]. > > Dogtag PKI server is a Java web application running on Tomcat. Currently, > we have a stand-alone Java AWT client tool called pkiconsole to access PKI > services on the server. PKI users are authenticated using client > certificates stored in LDAP. These users only exist in LDAP, they are not > users on the host itself. > > We are trying to convert pkiconsole into a web application. We had a chance > to look at Cockpit from a very high-level and have some questions. I’m > reaching out to the members of the Cockpit team, before we could make a > concrete decision on whether Cockpit is a perfect choice for us. > > The questions are: > > 1. According to [3] Cockpit seems to require the host to join the IdM > domain in order to authenticate PKI users into Cockpit using client cert > auth. Is it possible to use client cert auth without joining a domain? Will > that require major changes in Cockpit? > At a glance at the linked doc, it looks like Cockpit is using mod_lookup_identity certmap capability or something similar for user cert authn. Therefore to work directly for Dogtag users I think it is more than just configuration; something would need to be built.
> 2. Suppose the user has been authenticated into Cockpit using a client cert > as described in #1, is it possible for Cockpit to use the same client > certificate auth to access PKI server? Or do we need to use a different > auth mechanism? > How would this even work? Cockpit does not have the user's private key. Or Cockpit would need a highly privileged agent credential and access control around its use. Danger! We had quite a few CVEs in FreeIPA because of this kind of privilege separation violation. Or some new mechanism like a signed "endorsement" from Cockpit that user "alice" requests to do operation X, with ACL enforcement staying in Dogtag (where it belongs). Anything is possible, but only some approaches are secure. I like the idea of Cockpit using a proxy credential. But the only mechanism we have for that is GSS-API/Kerberos, which takes us full circle back to the requirement for a full-fledge IDM environment. Cheers, Fraser > Regards, > The PKI Team > > [1] https://github.com/dogtagpki/pki > > [2] https://www.dogtagpki.org/wiki/PKI_Main_Page > > [3] https://cockpit-project.org/guide/latest/cert-authentication > _______________________________________________ > Pki-devel mailing list > Pki-devel@redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel@redhat.com https://www.redhat.com/mailman/listinfo/pki-devel