On Thu, Jun 16, 2016 at 11:43:05PM +0200, Enrico Zini wrote: > Hello, > > I have just prototyped this: > https://github.com/spanezz/debsso-client > > Who would like to give it a try and make it grow?
Hey, thanks, Enrico! I've also documented steps to both export as a PKCS12 (which you can easily split into an x509 cert and an RSA private key), which may help avoid some of the work to extract it from a browser. (That same guide has instructions on taking that PKCS12 blob and burn certs into a Yubikey[1]. Yubikeys also have a handy feature of being able to be read from OpenSC's PKCS11[2] driver, and even act as a PIV device! This would allow neat things like using libpam-pkcs11[3] to let any DD log into a laptop (in-person porterbox in the DebConf hacklab!), or add it to nss[4], for Chrome, or even stuff like scripts above, so you don't have to munge certs. It's also worth noting you can add user certs to Android phones by adding them as a user cert (Looks hidden as a VPN thing ISTR), which means we can even do Debian work from our phones! Anyway, I'd just like folks to know this is super exciting, and having a sane PKI system that lets DDs client-auth to services is *huge*, and we should totally be building up awesome infra around this stuff. Maybe even send OpenPGP signed CSRs to an automated CA to issue new client certs? WHO ELSE IS STOKED? I AM! Can't wait to build around this amazing work, Enrico! paultag [1]: https://wiki.debian.org/DebianSingleSignOn#Use_with_a_Yubikey_in_PIV_mode [2]: https://packages.debian.org/unstable/opensc-pkcs11 [3]: https://packages.debian.org/unstable/libpam-pkcs11 [4]: <<EOF # Install libnss3-tools first sudo apt-get install libnss3-tools certutil -U -d sql:$HOME/.pki/nssdb modutil -add "OpenSC" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -dbdir sql:$HOME/.pki/nssdb modutil -list "OpenSC" -dbdir sql:$HOME/.pki/nssdb modutil -enable "OpenSC" -dbdir sql:$HOME/.pki/nssdb # Valdatae it's working: certutil -U -d sql:$HOME/.pki/nssdb certutil -L -h "OpenSC" -d sql:$HOME/.pki/nssdb # Heck, now that we have an RSA token, let's make an SSH key from my # Debian SSO cert off my Yubikey! ssh-keygen -D /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so # To remove: modutil -delete "OpenSC" -dbdir sql:$HOME/.pki/nssdb EOF
signature.asc
Description: PGP signature
