Bug 7896 - Support authentication via smallstep
Summary: Support authentication via smallstep
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Client (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Bugzilla mail exporter
URL:
Keywords:
Depends on: 4534 7641 4358
Blocks:
  Show dependency treegraph
 
Reported: 2022-04-20 08:54 CEST by Pierre Ossman
Modified: 2022-04-26 12:44 CEST (History)
0 users

See Also:
Acceptance Criteria:


Attachments

Description Pierre Ossman cendio 2022-04-20 08:54:29 CEST
Smallstep is an identity management software that provides single sign-on and a lot of detailed access control in order to improve security. There has been interest in making ThinLinc work with Smallstep to improve security.

Smallstep has existing support for improving security with SSH. It uses certificates to get rid of TOFU, and it also uses short-lived certificates that are fetched for each connection to make sure authentication and access control is fresh.

Unfortunately, this is partially handled in a magical way, so it is unclear how this would integrate with ThinLinc. The certificates are stored in an ssh agent (unclear how this conflicts with e.g. GNOME's ssh agent), so that is fairly clear. However, since the certificates are short-lived, a command needs to be run before each connection to make sure they are up to date. Smallstep recommends configuring ProxyCommand for this, or users have to run "step ssh login" before connecting.

Note You need to log in before you can comment on or make changes to this bug.