Project

General

Profile

Feature #57

Feature #56: Implement OTPme scripts

Implement signing of OTPme scripts

Added by The 2nd over 3 years ago. Updated 9 months ago.

Status:
In Bearbeitung
Priority:
Normal
Assignee:
Target version:
Start date:
13 December 2015
Due date:
% Done:

80%


Description

It should be possible to sign OTPme scripts and allow only execution of signed scripts.


Subtasks

Feature #65: implement revoking of script signaturesIn BearbeitungThe 2nd

Feature #74: Implement signature tagsIn Bearbeitung

History

#1 Updated by The 2nd over 3 years ago

  • % Done changed from 10 to 70
  • Implemented signing of OTPme scripts via RSA private key
  • Verification of signatures are done before executing the script (e.g. OTPme's PAM module can verify the login script signature)
  • Signing is implemented as a bash script via openssl to be as flexible as possible
  • Implemented server side encryption/signing mode where the RSA private key never leaves the OTPme server

#2 Updated by The 2nd 9 months ago

  • Status changed from Neu to In Bearbeitung

#3 Updated by The 2nd 9 months ago

  • Added otpme-tool add/del_signer command to handle host/node local allowed signers
    • Valid signers are users and roles
  • Allow to add per user private signers
  • Added config file options FORCE_TOKEN_SIGNERS, FORCE_KEY_SCRIPT_SIGNERS and FORCE_AGENT_SCRIPT_SIGNERS to override private signers

Also available in: Atom PDF