Hello all,
I'm trying to install the development tools for a small team, and I can't get the authentication right.
Since we are a distributed team, the server is on the internet. And I'd like to have SSO+zero client configuration.
So basically git over https+webdav is impractical, because the git client can only use basic auth but doesn't save the password and some IDE plugin don't even forward the password question in their UI.
I have to use git over ssh then. I installed gitosis and it basically works with asymmetric keys, ok. I'll have to ask each dev to install their key, I can do that, forget zero configuration.
Then I want the developers to access the web tools (wiki, tickets, etc.) that are on https, but I this time I have to give them either a login/password or another private key just because the formats aren't compatible between SSH and SSL and the place to store it on the OS is not the same. Now, I have to forget the SSO ?
Have I just been sent to hell or I am mistaken ?
Thanks in advance for your insights.
-
You're pretty much out of luck - SSH keys and SSL certificates are different animals and as far as I know they aren't interchangeable.
Your best bet is probably to configure single sign-on / shared password store / whatever for your web tools & leave git/gitosis as an authentication island.
From voretaq7 -
OpenSSH has experimental support for x509 certificates here:
http://roumenpetrov.info/openssh
You could issue a single x509 certificate per user and use them for both.
instead of putting the user pubkey in their authorized_keys, you can specify the allowed DNs of the user certificates; and you must configure the webserver/web application so that the DN is translated to a username.
b0fh : You mean installing the patched version of openssh ? it may be already shipped by your distribution (I know that at least Gentoo does). There is no point in using the same RSA key for both applications but with a different format - you still have to set up the ssh public key of each user by hand. OTOH, with x.509 keys, you could keep your CA separate, and adding new users to SSH or HTTPS can be done without knowledge of their public key, you only need to pick a consistent DN policy...From b0fh -
TL;DR summary: If you have a SSL/X.509 certificate+key, just give the private key file to
ssh. Or, if you already have a SSH key inid_rsa, just use it with OpenSSL when signing a CSR. That's all.
Let's assume you have an user's SSL certificate in
joeuser.pemand its private key injoeuser.key.Since X.509 uses standard RSA keys, and so does SSH, you should be able to just tell your SSH client to use
joeuser.key-- the only requirement is that it be in an understandable format.Look at the insides of
joeuser.keyand check if it looks kinda like this:-----BEGIN RSA PRIVATE KEY----- MGECAQACEQCxQaFwijLYlXTOlwqnSW9PAgMBAAECEETwgqpzhX0IVhUa0OK0tgkC CQDXPo7HDY3axQIJANLRsrFxClMDAghaZp7GwU2T1QIIMlVMo57Ihz8CCFSoKo3F 2L/2 -----END RSA PRIVATE KEY-----
In OpenSSL, this format is called "PEM" (as in
-outform pem) and is used by default. The same format is used by OpenSSH, and you can usessh -i joeuser.keyto connect.You can extract the public key in OpenSSH
id_rsa.pubformat (for putting intoauthorized_keys) with:ssh-keygen -y -f joeuser.key > joeuser-ssh.pub
(The same public key in PEM format can be extracted with
openssl rsa -pubout, but it will be of little use.)
If you have a DSA key, it should work exactly the same like RSA.
grawity : nraynaud: They are _developers_. If they cannot install a X.509 cert to their favourite browser (at least by following TFM), it's already scary.grawity : ...anyway. For NSS-based browsers (Firefox, Mozilla, Epiphany) there's a set of command-line tools to modify `cert.db`. For Windows, certificates can be installed using certutil or (I think) through AD group policy. SSH requires no configuration at all, just `ssh-keygen -y -f` and dump both files to user's homedir.From grawity
0 comments:
Post a Comment