Discussion:
[Freeipa-users] U2F and ipa for ssh
Marc Boorshtein
2017-04-20 12:04:34 UTC
Permalink
Has anyone looked into using U2F with freeipa? My guess is you would need
a customized ssh client to interact with the device but in theory you could
just transform the users U2F public key into an ssh key.

Marc Boorshtein
CTO, Tremolo Security, Inc.
Fraser Tweedale
2017-04-21 01:26:10 UTC
Permalink
Post by Marc Boorshtein
Has anyone looked into using U2F with freeipa? My guess is you would need
a customized ssh client to interact with the device but in theory you could
just transform the users U2F public key into an ssh key.
Marc Boorshtein
CTO, Tremolo Security, Inc.
Hi Marc,

We have had preliminary discussion about U2F.

As you suggest, U2F requires client support. U2F does not provide a
general signing operation (it only signs a specific kind of
message[1]) so some server support is probably required as well.

[1] https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-response-message-success

That said, a lot of U2F devices have additional / alternative modes
with PKCS #11 interfaces, e.g. PIV, allowing them to be used as
generic crypto tokens.

Thanks,
Fraser
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Alexander Bokovoy
2017-04-21 06:49:43 UTC
Permalink
Post by Fraser Tweedale
Post by Marc Boorshtein
Has anyone looked into using U2F with freeipa? My guess is you would need
a customized ssh client to interact with the device but in theory you could
just transform the users U2F public key into an ssh key.
Marc Boorshtein
CTO, Tremolo Security, Inc.
Hi Marc,
We have had preliminary discussion about U2F.
As you suggest, U2F requires client support. U2F does not provide a
general signing operation (it only signs a specific kind of
message[1]) so some server support is probably required as well.
[1] https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-raw-message-formats-v1.1-id-20160915.html#authentication-response-message-success
That said, a lot of U2F devices have additional / alternative modes
with PKCS #11 interfaces, e.g. PIV, allowing them to be used as
generic crypto tokens.
I've looked at Yubikey's U2F pam module and, as with many others, it is
a module to check against a local source. We need to spend some time
doing actual design to see what can be stored centrally and how mapping
to login as other users can be done, but it would be nice to have this
integrated, yes.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Loading...