pam_pkcs11 certificate check [u]

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

pam_pkcs11 certificate check [u]

Andreas Jellinghaus-2
Hi,

pam_pkcs11 always does those certificate check.
can't we make those a configureable option?

Sure, when dealing with the internet, you need to
work with a ca-signing plus blacklist mechanism,
because noone wants or can or should be able to have
a positive list of all acceptable certificates.

But for configuring ssh servers and pam logins,
that is something very private, the list of
certificates that are accepted is short, and
honestly using a CA style signature + blacklist
mechanism is complexity I neither want nor need.

So far I'm find with self signed certificates,
and for me it is important all software can be
configured to work fine with simple positive
lists, i.e. neither needs ca certificates nor
needs revocation lists nor any of that.

apache, openssh and pam_opensc are working fine.
it would be nice if we could make those certificate
checks an option, so I can disable them for pam_pkcs11.

fine with you?

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 certificate check

Jonsy (teleline)
El lun, 27-06-2005 a las 22:58, Andreas Jellinghaus [c] escribió:
> Hi,
>
> pam_pkcs11 always does those certificate check.
> can't we make those a configureable option?

Yes and no:

Pam_pkcs11 works in two ways
- By entering login and check certificate against allowed
ones. In this case no (many) problem to disable PIN request
- By just entering card and try to deduce login from found
certificates. In this case, i think there is a real risk in
no asking PIN ( think on stolen cards in corporations with
SingleSignOn environments ).
My feeling is that for authentication at least two items are
needed: the card, and login name or card PIN

So we could modify pam_pkcs11 to ask for pin if no login is
provided to ensure that user is the real owner of the card

About CA-list verify, already is a configurable option.
You're right, no real need of a complete cert-chain
verification process for a simple local login

So I'll study how to make PIN request a configurable option if
login name is provided (needs some big changes in pam_pkcs11.c)

Regards
Juan Antonio
--
Jonsy (teleline) <[hidden email]>
Teleline

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 certificate check [u]

Ludovic Rousseau
In reply to this post by Andreas Jellinghaus-2
On 27/06/05, Andreas Jellinghaus [c] <[hidden email]> wrote:
> pam_pkcs11 always does those certificate check.
> can't we make those a configureable option?

Why not.

But this configuration should be mapper dependent. It would be very
dangerous to trust, without verification, a certificate comming from
the card (opensc mapper).

So OK to skip the check if the public key comes from
$HOME/.ssh/authorized_keys (opensc mapper) but not from the card
(subject mapper).

Is that OK for you?

Regards,

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 certificate check

Jonsy (teleline)
El mar, 28-06-2005 a las 11:29, Ludovic Rousseau escribió:
> On 27/06/05, Andreas Jellinghaus [c] <[hidden email]> wrote:
> > pam_pkcs11 always does those certificate check.
> > can't we make those a configureable option?
> Why not.
> But this configuration should be mapper dependent. It would
> be very dangerous to trust, without verification, a certificate
> comming from the card (opensc mapper).

To resume: there are two problems:
1- Ensure that user is the owner of the card
2- Ensure that card contents is enought to perform authentication

We should distinguish bewteen 2 kinds of cert contents:
- contents that can be easily duplicated ( CN, Subject, Uid,
UPN, and so )
- contents that are "non reproducible", ( signature -hey!! what's
on sha1 and md5 collisions ?-, public key and so )

In fact, there is another security problem: mapping files in
/etc/pam_pkcs11. Curl library doesn't restrict them to be
a local,root,400 files, so there is a chance of stole mapfile
content, and create a fake certificate and store it in the card.
If this is the case, ask for PIN is annoying :-(

So perhaps the way is:
- Allways check CA of certificate ( crl optional )
- Ask for pin if no login provided
- Ask for pin on mappers that use replicable cert elements

Regards

PS: I'm starting two-week holidays. Time to prepare a new
pam_pkcs11 release :-)

--
Jonsy (teleline) <[hidden email]>
Teleline

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Re: pam_pkcs11 certificate check

Ludovic Rousseau
On 28/06/05, Jonsy (teleline) <[hidden email]> wrote:
> To resume: there are two problems:
> 1- Ensure that user is the owner of the card
> 2- Ensure that card contents is enought to perform authentication

3- ensure the card is authentic and can be trusted by the host.

> In fact, there is another security problem: mapping files in
> /etc/pam_pkcs11. Curl library doesn't restrict them to be
> a local,root,400 files, so there is a chance of stole mapfile
> content, and create a fake certificate and store it in the card.
> If this is the case, ask for PIN is annoying :-(

Only the knowledge of the private key should be used. Any other
information should be considered public.

> So perhaps the way is:
> - Allways check CA of certificate ( crl optional )

I think Andreas was asking to make this check optional.

> - Ask for pin if no login provided
> - Ask for pin on mappers that use replicable cert elements

I don't know if NOT asking the PIN is a good idea. But if it is
possible to create a private key that is not protected by a PIN why
not allow this feature? The system administrator should know what is
does when generating the user cards and configuring the pam_pkcs11
modules.

Bye,

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: pam_pkcs11 certificate check

Peter Stuge
On Tue, Jun 28, 2005 at 12:23:14PM +0200, Ludovic Rousseau wrote:
> > - Ask for pin if no login provided
> > - Ask for pin on mappers that use replicable cert elements
>
> I don't know if NOT asking the PIN is a good idea.

I agree - I certainly do not think that's a good idea.


> But if it is possible to create a private key that is not protected
> by a PIN why not allow this feature? The system administrator
> should know what is does when generating the user cards and
> configuring the pam_pkcs11 modules.

Right, this sounds good. The only time a smart card login doesn't
require a PIN is when the private key itself doesn't have one. And
how else could it work btw? The key probably can't be used for a
signature without the PIN anyway?


//Peter
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: pam_pkcs11 certificate check [u]

Andreas Jellinghaus-2
In reply to this post by Jonsy (teleline)
On Tuesday 28 June 2005 12:07, Jonsy (teleline) wrote:
> El mar, 28-06-2005 a las 11:29, Ludovic Rousseau escribió:
> > On 27/06/05, Andreas Jellinghaus [c] <[hidden email]> wrote:
> > > pam_pkcs11 always does those certificate check.
> > > can't we make those a configureable option?
> >
> > Why not.
> > But this configuration should be mapper dependent. It would
> > be very dangerous to trust, without verification, a certificate
> > comming from the card (opensc mapper).

why? with the opensc mapper it should be perfectly fine, as you can byte
by byte compare the certificate on the card with the one in
~/.eid/authorized_certificates, and if they match extract the public key
from the on in that file, and ask the card to sign some data, verify the
data and it is fine.

the way I see it, the question is what is more important:
 - to not ask for a pin unless it is needed.
 - to not reveal whether a card could be used to authenticate
   for account xyz.

I think not asking for a pin is more important.
as far as I know ssh works similiar: if you have several public keys,
you can more or less ask the deamon which one would work with some account.

and then there are two way pam_pkcs11 could work (at least in the mapper
I see the code):
a) for a given user, is any cert/key on the card ok for authentication?
b) for a given card, is any cert/key on the card ok for authentication
   and which logins(s) can the user choose to login?

sure, I'd love some nice kdm welcome screen that firsts asks me to enter
my smart card, then welcomes me with my name and asks for the pin, and
once I entered the pin, it will offer me all accounts I may access and
lets me choose. ah, that would be nice.

but that won't work with pam. pam is a very limited mechanism, and the
way I understand it, only a) would work fine with pam.

so I wonder why the code for b) is in the pam module. an way this could
ever work with pam? (I'm not pam expert, maybe I missed something?)


also one more suggestion: why the mappers as shared modules at all?
I meant that is lots of code for parseing the config file order,
loading several modules (dl code), asking them one by one etc.

an alternative would be to compile each c files, and then create
several pam modules:
pam_pkcs11_ldap, pam_pkc11_opensc, pam_pkcs11_openssh, pam_pkc11_krb
and so one. the common parts would be the same always, and they would
be linked with one mapper object plus the libs used by that mapper.

sure, you can't stack pam modules this way, like you currently do in
pam_pkcs11.conf, but pam itself has a stacking mechanism, so I wonder
if you need stacking in pam_pkcs11 again.

we might loose a small part of functionality - which might be not needed -
but could remove lots of complexity by not dl()ing at runtime, less config
file options, and using the generic pam stacking instead of doing something
very similiar in pam_pkcs11 internals again.

also such a change might be distribution friendly: they can use one source
tar.gz, compile it with all libs, and then could - if they want - split
of pam_pkcs11_krb.so and pam_pkcs11_ldap.so in their own binary packages
(because of the shared library dependencies).

the curl part in your posting: I got somehow lost. how is libcurl used
in pam_pkcs11? what exactly is the issue?

> So perhaps the way is:
> - Allways check CA of certificate ( crl optional )

I'm using self signed certs everywhere, so for me it must work without
a ca cert and without ca signature checks. for opensc and openssh mapper
those would be strang anyway (opensc has the full cert available for
comparing, and openssh knows only keys, not certs anyway).

> - Ask for pin if no login provided

as I wrote above, I thought pam modules would always ask for a login first.

> - Ask for pin on mappers that use replicable cert elements

fine with me.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: pam_pkcs11 certificate check [u]

Andreas Jellinghaus-2
In reply to this post by Ludovic Rousseau
On Tuesday 28 June 2005 12:23, Ludovic Rousseau wrote:
> On 28/06/05, Jonsy (teleline) <[hidden email]> wrote:
> > To resume: there are two problems:
> > 1- Ensure that user is the owner of the card
> > 2- Ensure that card contents is enought to perform authentication
>
> 3- ensure the card is authentic and can be trusted by the host.

what exactly do you mean with authentic and can be trusted?

asking for signing some random bytes and checking the signature
is the usual way, that is all I need. or anything else?

> I don't know if NOT asking the PIN is a good idea. But if it is
> possible to create a private key that is not protected by a PIN why
> not allow this feature?

hmm, right. I never thought about unprotected private keys, but even they
can be considered quite secure, as smart cards usualy don't allow private
keys to be extracted. good point.

I was more concerned with asking for a pin even if I mistyped the username
or something similiar. the pam module should figure that out and not even
ask me for the pin, since it won't help anyway.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pam_pkcs11 certificate check [u]

Andreas Jellinghaus-2
In reply to this post by Ludovic Rousseau
On Tuesday 28 June 2005 11:29, Ludovic Rousseau wrote:
> But this configuration should be mapper dependent. It would be very
> dangerous to trust, without verification, a certificate comming from
> the card (opensc mapper).
>
> So OK to skip the check if the public key comes from
> $HOME/.ssh/authorized_keys (opensc mapper) but not from the card
> (subject mapper).

sure, with subject based mapper you need ca signatures.
with openssh and opensc (eid version) you don't.

make it a config option, or simple move the code to the
mapper, so each code can call some function that does
these checks - or not. I'm not sure if it needs to
be configureable, more likely different mappers will
behave differently, but not configureable.
(then again I only read a few small parts of the pam_pkcs11
code ...)

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: pam_pkcs11 certificate check [u]

Ludovic Rousseau
In reply to this post by Andreas Jellinghaus-2
On 28/06/05, Andreas Jellinghaus [c] <[hidden email]> wrote:
> On Tuesday 28 June 2005 12:23, Ludovic Rousseau wrote:
> > On 28/06/05, Jonsy (teleline) <[hidden email]> wrote:
> > > To resume: there are two problems:
> > > 1- Ensure that user is the owner of the card
> > > 2- Ensure that card contents is enought to perform authentication
> >
> > 3- ensure the card is authentic and can be trusted by the host.
>
> what exactly do you mean with authentic and can be trusted?

You need to build a chain of trust between the private key used by the
card and something you (the application) trust, and link that private
key with a user.

This chain can be build using a certificate authority, or by getting
the public key from a trusted place (your ~/.ssh/known_keys or
similar).

> asking for signing some random bytes and checking the signature
> is the usual way, that is all I need. or anything else?

In fact you do more than that but maybe you include it in "checking
the signature".
Either you get the card public key from a trusted place (local disk)
or you verify a certificate containing that public key using another
public key (CA key) from a trusted place.

Regards,

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel