Request new repo for IBM-specific code
Patrick Williams
patrick at stwcx.xyz
Sat Mar 6 09:05:36 AEDT 2021
On Fri, Mar 05, 2021 at 01:15:47PM -0600, Patrick Williams wrote:
> On Thu, Mar 04, 2021 at 09:14:47PM -0600, Joseph Reynolds wrote:
> My first reading of what is there, I'm not sure why typical certificate
> based authentication couldn't solve your needs (but I'm just guessing
> what your needs are). It seems like you have a root-authority (IBM), a
> a daily expiring certificate, and some fields in the certificate you
> want to confirm (ex. serial number). I've seen other production-level
> systems doing similar for SSH/HTTPS without additional PAM modules.
For more concrete example of what I'm talking about, see 'sshd_config'
options AuthorizePrincipalsCommand and TrustedUserCAKeys.
- An IBM certificate would be the CA for TrustedUserCAKeys (and
installed on only IBM Enterprise systems.
- AuthorizedPrincipalsCommand would be a small dbus lookup to get
the system serial number.
Your login credentials would be a certificate signed by the IBM CA where
the system serial number is included in the Principals of the cert. The
certificate can be set to expire in 24 hours.
I'm pretty sure SSH certificates can be standard X.509 certificates
which can be used for mTLS in a similar way. bmcweb could be configured
to do similar operations as already built in to SSH.
I don't know if you would want to install the CA and configuration with
a bbappend in your own layer or via a local.conf override on your build
system. You might want to look at
meta-phosphor/classes/phosphor-deploy-ssh-keys.bbclass as a method of
installing extensions, like SSH keys, in a build.
--
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210305/df60cd2f/attachment.sig>
More information about the openbmc
mailing list