Comments (6)
Alkorin
commented on September 24, 2024
PIV doesn't mean MFA. It only proves that the private key is stored in a secure physical device.
Do you need MFA aswell ?
from the-bastion.
speed47
commented on September 24, 2024
Interesting use case. I think the remote bastion can also pass some more information to the local one, such as:
- Was MFA enabled for this user?
- Is it a PIV-enforced user ?
Then on the local bastion, you might be able to specify some policies that will be enforced, something along the lines of:
realmModify --realm eu --piv-policy enforce
... which would deny any remote user not having PIV enforced on his local bastion
from the-bastion.
vmalguy
commented on September 24, 2024
PIV doesn't mean MFA. It only proves that the private key is stored in a secure physical device.
Do you need MFA aswell ?
anything that could help enforce access policies
Interesting use case. I think the remote bastion can also pass some more information to the local one, such as:
- Was MFA enabled for this user?
- Is it a PIV-enforced user ?
Then on the local bastion, you might be able to specify some policies that will be enforced, something along the lines of:
realmModify --realm eu --piv-policy enforce... which would deny any remote user not having PIV enforced on his local bastion
When it come to PIV, I like some flexibility.
Per realm is good but how about also per group or host or user ?
from the-bastion.
Alkorin
commented on September 24, 2024
Per realm is good but how about also per group or host or user ?
The main goal of realm is to not have the notion of user in the local bastion. Authentication is delegated to the distant bastion.
But we could have this check on groups so that a distant user can't use the group if he didn't used its PIV key to connect to the distant bastion.
from the-bastion.
speed47
commented on September 24, 2024
Could be done too, even if it would be a bit more complex:
realm-wide setting:
realmModify --realm eu --piv-policy none|enforce
group-wide setting:
groupModify --group blah --piv-policy none|enforce
per-host: not really doable, because nobody has the authority over a given host, from the point of view of the bastion: a host can be in 2 distinct groups for that matter, with 2 distinct owners. Or a group can be 0.0.0.0/0 and have all the possible hosts in it.
But then, you might also want to grant an account the right to bypass the realm-wide policy, because this account might be a robot and doesn't have the required hand to click on his PIV key...
This is what has been done for password MFA and TOTP MFA:
accountModify --account joe --mfa-totp-required yes|no|bypass
accountModify --account joe --mfa-password-required yes|no|bypass
from the-bastion.
speed47
commented on September 24, 2024
In any case @Alkorin we'll need yubico-piv-checker ;)
from the-bastion.
Related Issues (20)
- Connection to the Bastion takes many seconds HOT 2
- SCP Failure - Error 255
- master can't sync with slave HOT 1
- Arista - Add ssh key on a switch with "from" pattern HOT 1
- An alternative method to log into bastion.
- Synchronization between master and slave HOT 6
- Use a global folder for ttyrec sessions HOT 1
- SFTP plugin instead of SCP on recent OpenSSH versions HOT 2
- Login with user@domain HOT 2
- Accepting [email protected] for ingress key HOT 1
- Upgrade errors: [ERR.] <x> doesn't seem to be a valid bastion group HOT 1
- User suffix for device/network HOT 3
- pam-u2f in code or a configuration to do ? HOT 3
- Error when installing with ttyrec HOT 4
- Disable MFA verification when using an SK
- Feature Request: `*-sk` keys supporting PIV-like policies HOT 1
- [Question] disable ttyrec for SCP HOT 8
- SCP freezes wthen downloading large files: HOT 4
- Support for OIDC auth method
- Feature Request: auto accept keys
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from the-bastion.