From: Patrick Williams <patrick@stwcx.xyz>
To: Joseph Reynolds <jrey@linux.ibm.com>
Cc: openbmc <openbmc@lists.ozlabs.org>
Subject: Re: Request new repo for IBM-specific code
Date: Fri, 5 Mar 2021 16:05:36 -0600 [thread overview]
Message-ID: <YEKrMMxgcljwRNDt@heinlein> (raw)
In-Reply-To: <YEKDY6+zfW5Uuqkl@heinlein>
[-- Attachment #1: Type: text/plain, Size: 1645 bytes --]
On Fri, Mar 05, 2021 at 01:15:47PM -0600, Patrick Williams wrote:
> On Thu, Mar 04, 2021 at 09:14:47PM -0600, Joseph Reynolds wrote:
> My first reading of what is there, I'm not sure why typical certificate
> based authentication couldn't solve your needs (but I'm just guessing
> what your needs are). It seems like you have a root-authority (IBM), a
> a daily expiring certificate, and some fields in the certificate you
> want to confirm (ex. serial number). I've seen other production-level
> systems doing similar for SSH/HTTPS without additional PAM modules.
For more concrete example of what I'm talking about, see 'sshd_config'
options AuthorizePrincipalsCommand and TrustedUserCAKeys.
- An IBM certificate would be the CA for TrustedUserCAKeys (and
installed on only IBM Enterprise systems.
- AuthorizedPrincipalsCommand would be a small dbus lookup to get
the system serial number.
Your login credentials would be a certificate signed by the IBM CA where
the system serial number is included in the Principals of the cert. The
certificate can be set to expire in 24 hours.
I'm pretty sure SSH certificates can be standard X.509 certificates
which can be used for mTLS in a similar way. bmcweb could be configured
to do similar operations as already built in to SSH.
I don't know if you would want to install the CA and configuration with
a bbappend in your own layer or via a local.conf override on your build
system. You might want to look at
meta-phosphor/classes/phosphor-deploy-ssh-keys.bbclass as a method of
installing extensions, like SSH keys, in a build.
--
Patrick Williams
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2021-03-05 22:06 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-05 3:14 Request new repo for IBM-specific code Joseph Reynolds
2021-03-05 19:15 ` Patrick Williams
2021-03-05 22:05 ` Patrick Williams [this message]
2021-03-07 4:09 ` Joseph Reynolds
2021-03-08 18:45 ` Patrick Williams
2021-03-08 20:30 ` Request new repo for IBM-specific code - pam_2fa discussion Joseph Reynolds
2021-03-08 22:41 ` Patrick Williams
2021-03-09 17:43 ` Joseph Reynolds
2021-04-29 21:09 ` Request new repo for IBM-specific code Joseph Reynolds
2021-04-29 21:24 ` Ed Tanous
2021-04-30 0:47 ` Joseph Reynolds
2021-04-30 13:29 ` Patrick Williams
2021-05-01 5:30 ` Request new repo for IBM-specific code: ibm-acf Joseph Reynolds
2021-05-02 23:46 ` Andrew Jeffery
2021-05-03 1:37 ` Andrew Jeffery
2021-05-03 16:21 ` Request new repo for IBM-specific code Ed Tanous
2021-03-08 16:03 ` Ed Tanous
2021-03-08 17:30 ` Joseph Reynolds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YEKrMMxgcljwRNDt@heinlein \
--to=patrick@stwcx.xyz \
--cc=jrey@linux.ibm.com \
--cc=openbmc@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).