Re: Command line frontend for services that require single sign-on

To: Enrico Zini <enrico@enricozini.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Command line frontend for services that require single sign-on
From: Paul Tagliamonte <paultag@debian.org>
Date: Thu, 16 Jun 2016 18:04:27 -0400
Message-id: <[🔎] 20160616220427.GA11206@cassiel.pault.ag>
In-reply-to: <[🔎] 20160616214305.GA28739@enricozini.org>
References: <[🔎] 20160616214305.GA28739@enricozini.org>

On Thu, Jun 16, 2016 at 11:43:05PM +0200, Enrico Zini wrote:
> Hello,
> 
> I have just prototyped this:
> https://github.com/spanezz/debsso-client
> 
> Who would like to give it a try and make it grow?

Hey, thanks, Enrico!

I've also documented steps to both export as a PKCS12 (which you can
easily split into an x509 cert and an RSA private key), which may help
avoid some of the work to extract it from a browser.

(That same guide has instructions on taking that PKCS12 blob and burn
certs into a Yubikey[1]. Yubikeys also have a handy feature of being
able to be read from OpenSC's PKCS11[2] driver, and even act as a PIV
device!

This would allow neat things like using libpam-pkcs11[3] to let any DD
log into a laptop (in-person porterbox in the DebConf hacklab!), or add
it to nss[4], for Chrome, or even stuff like scripts above, so you don't
have to munge certs.

It's also worth noting you can add user certs to Android phones by
adding them as a user cert (Looks hidden as a VPN thing ISTR), which
means we can even do Debian work from our phones!

Anyway, I'd just like folks to know this is super exciting, and having a
sane PKI system that lets DDs client-auth to services is *huge*, and we
should totally be building up awesome infra around this stuff. Maybe
even send OpenPGP signed CSRs to an automated CA to issue new client
certs?

WHO ELSE IS STOKED? I AM!

Can't wait to build around this amazing work, Enrico!
  paultag

[1]: https://wiki.debian.org/DebianSingleSignOn#Use_with_a_Yubikey_in_PIV_mode
[2]: https://packages.debian.org/unstable/opensc-pkcs11
[3]: https://packages.debian.org/unstable/libpam-pkcs11
[4]: <<EOF
# Install libnss3-tools first
sudo apt-get install libnss3-tools

certutil -U -d sql:$HOME/.pki/nssdb
modutil -add "OpenSC" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -dbdir sql:$HOME/.pki/nssdb
modutil -list "OpenSC" -dbdir sql:$HOME/.pki/nssdb 
modutil -enable "OpenSC" -dbdir sql:$HOME/.pki/nssdb

# Valdatae it's working:
certutil -U -d sql:$HOME/.pki/nssdb
certutil -L -h "OpenSC" -d sql:$HOME/.pki/nssdb

# Heck, now that we have an RSA token, let's make an SSH key from my
# Debian SSO cert off my Yubikey!
ssh-keygen -D /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so

# To remove:
modutil -delete "OpenSC" -dbdir sql:$HOME/.pki/nssdb
EOF

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: Command line frontend for services that require single sign-on
  - From: Enrico Zini <enrico@enricozini.org>

References:
- Command line frontend for services that require single sign-on
  - From: Enrico Zini <enrico@enricozini.org>

Prev by Date: Command line frontend for services that require single sign-on
Next by Date: Work-needing packages report for Jun 17, 2016
Previous by thread: Command line frontend for services that require single sign-on
Next by thread: Re: Command line frontend for services that require single sign-on
Index(es):
- Date
- Thread