Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for PKCS#11 tokens to openssh_cert. #95

Merged
merged 1 commit into from
Aug 4, 2020
Merged

Add support for PKCS#11 tokens to openssh_cert. #95

merged 1 commit into from
Aug 4, 2020

Conversation

s-hamann
Copy link
Contributor

SUMMARY

This PR adds the parameter pkcs11_provider, which can be set to the name of or path to a PKCS#11 library (e.g. libpkcs11.so). ssh-keygen will then use this library to have the token make any required signatures.
If this is used, signing_key needs to be set to a file containing the public key that matches the private key on the token.

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

plugins/modules/openssh_cert.py

ADDITIONAL INFORMATION

pkcs11_provider is simply passed to ssh-keygen. Usual choices include libpkcs11.so, libykcs11.so (for YubiKey) and possibly others. I think it's a bit awkward to pass a library in order to use a hardware token, but that's how ssh-keygen handles it and I do not think we could reasonably provider a better user interface.

If the token requires a PIN to use the key, things may get a little complicated.
If ssh-keygen can not get the PIN from a TTY, it uses ssh-askpass, which should be OK for interactive use. However, I could not get it to run for some reason.
When using a local connection instead of SSH, the module/ssh-keygen interactively asks for the PIN on the terminal, which should be sufficient for the case where the PKCS#11 token is connected to the Ansible controller, not to the target system(s). I believe that to be the common use case.
I did not find a way of providing the PIN via Ansible, unfortunately.

Note: I did not add any tests, since that would require an PKCS#11 token. It may be possible to emulate that somehow, but I did not look into this topic.

felixfontein
felixfontein reviewed Jul 31, 2020
View reviewed changes
Copy link
Contributor

@felixfontein felixfontein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. I assume you tested this?

changelogs/fragments/openssh_cert-pkcs11.yml Outdated Show resolved Hide resolved
plugins/modules/openssh_cert.py Show resolved Hide resolved
@s-hamann
Copy link
Contributor Author

Thank you for your feedback.
Yes, I manually tested this and successfully signed host certificates using a YubiKey. I only tried the specific set of parameters that I need right now, not all possible variations. However, since this PR only adds a parameter that is passed to ssh-keygen as is, I believe that should be OK.

@s-hamann
Add support for PKCS#11 tokens to openssh_cert.
8e4c991 
This adds the parameter pkcs11_provider, which can be set to the name of
or path to a PKCS#11 library (e.g. libpkcs11.so). ssh-keygen will then
use this library to have the token make any required signatures.
If this is used, signing_key needs to be set to a file containing the
public key that matches the private key on the token.
@felixfontein felixfontein merged commit a72f9f5 into ansible-collections:main Aug 4, 2020
@felixfontein
Copy link
Contributor

@s-hamann thanks a lot for the contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@felixfontein felixfontein felixfontein approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@s-hamann @felixfontein