-
Notifications
You must be signed in to change notification settings - Fork 6
/
README
186 lines (129 loc) · 5.32 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
Contents of this file
---------------------
* Introduction
* Operating model
* Module stack
* Installation
* Contribute
* Bug report / Feature request
* License
* Contact
Introduction
------------
pam_openssh_x509 is a collection of PAM modules that paired with a PKI provides
a fully automated solution for the management of OpenSSH keys.
pam_openssh_x509 enables you to...
* Reduce your costs yet improving security by using synergies of already
established processes.
* Centrally manage access to OpenSSH servers.
* Raise the security level of OpenSSH keys to the same as x509 certificates.
* Highly protect private keys by using Smartcard technology.
* Periodically update key material without manual interaction.
* Revoke keys in a standard way.
* Gain back control of the key creation process.
* Be completely independent of changes to OpenSSH itself by using a long
established and supported standard interface.
* Simply implement two factor authentication.
* Adopt to different environments by the usage of policies.
* Reveal the theft of private keys and make it hard to duplicate them.
* KEEP IT SIMPLE \o/
For more information on how to make the most out of pam_openssh_x509 see the
next section.
Operating model
---------------
The idea behind pam_openssh_x509 is to make managed x509 certificates
accessible for OpenSSH public key authentication. Contrary to other approaches
the source code of OpenSSH remains untouched, making it relatively independent
from changes to OpenSSH. It also supports components usually found in larger
enterprises, creating an integrated solution for the OpenSSH key management.
Therefore it circumvents the installation and maintenance of an extensive
software layer for managing OpenSSH key material. Yet, it raises the security
level of the keys and reduces costs.
The operating model consists of the following components:
* PKI
* LDAP server
* Smartcard technology (optional)
* SSH client supporting Smartcards (e.g. PuTTY-CAC) (optional)
* pam_openssh_x509
The tasks of the components can be described as follows:
The PKI...
* Is responsible for the management of the lifecycle of x509 certificates.
* Creates the private key in a secure manner. E.g. it makes sure that
private keys will be created on the Smartcard using a known key creation
procedure.
* Re-keys in regular intervals.
* Maintains processes for key revocation.
* Publishes x509 certificates to the LDAP server.
The LDAP server...
* Stores all x509 certificates.
* Maintains a list of all OpenSSH servers.
* Holds access permissions for the OpenSSH servers.
The Smartcard...
* Generates and stores the private key.
* Is used for authentication.
The SSH client supporting Smartcards...
* Will use the private key inside the Smartcard to create the digital
signature used for authentication instead of a private key kept inside the
filesystem
For the usage of pam_openssh_x509 the PKI has to store the x509 certificates at
the user object in the LDAP server. Every OpenSSH server will be represented as
a group in a distinct tree in the LDAP server. Access permission to an OpenSSH
server is then granted through a group membership.
pam_openssh_x509 makes sure that the public key of the x509 certificate is
synchronized to the server. It does so only after access permissions have been
checked and the certificate has been validated.
Module stack
------------
pam_openssh_x509 is made up of the following modules:
pam_openssh_x509_base.so
* Checks access permissions through LDAP groups.
* Validates x509 certificate.
* Converts the public key to into the OpenSSH key format.
* Creates and updates the data transfer object passed to downstream modules
with all determined information.
pam_openssh_x509_audit.so (optional)
* Logs information from the data transfer object.
pam_openssh_x509_validate.so
* Keeps the policy that evaluates the data transfer object and updates the
authorized_keys file.
The base module collects all the information needed to synchronize keys and
grant or revoke server access. All data is stored in a data transfer object
that is made accessible for downstream modules.
The audit module is a passive component that only logs the content of the data
transfer object.
The validation module performs the actual modification of the authorized_keys
file. It can be adjusted for differing environments. For example, while an
expired user certificate may not cause any trouble in a testing environment, it
would certainly gain significance in production. The validation module is the
only module that has to be adjusted to individual needs.
Installation
------------
see INSTALL
Contribute
----------
You like the project and want to join? Feel free to become part of it.
Any help is highly appreciated! We're always searching for:
* Developers
* Code reviewers
* Tester
* Testing environments
* Feature requests
* Feedback
* Web designers
* ASCII art
You have other skills that might help improving the project?
Don't hesitate contacting us!
Bug report / Feature request
----------------------------
see Contact
License
-------
see COPYING / COPYING.LESSER
Contact
-------
Questions? Suggestions? Just wanna say Hi?
Reach us over the following channels:
* IRC: #pam_openssh_x509 @ freenode or /query flix
* E-Mail: seroland86@gmail.com
* Github: https://github.com/flix-
#EOF