Feature #57
open
Feature #56: Implement OTPme scripts
Implement signing of OTPme scripts
Added by The 2nd over 8 years ago.
Updated over 5 years ago.
Start date:
13 December 2015
Estimated time:
(Total: 0:00 h)
Description
It should be possible to sign OTPme scripts and allow only execution of signed scripts.
- % Done changed from 10 to 70
- Implemented signing of OTPme scripts via RSA private key
- Verification of signatures are done before executing the script (e.g. OTPme's PAM module can verify the login script signature)
- Signing is implemented as a bash script via openssl to be as flexible as possible
- Implemented server side encryption/signing mode where the RSA private key never leaves the OTPme server
- Status changed from Neu to In Bearbeitung
- Added otpme-tool add/del_signer command to handle host/node local allowed signers
- Valid signers are users and roles
- Allow to add per user private signers
- Added config file options FORCE_TOKEN_SIGNERS, FORCE_KEY_SCRIPT_SIGNERS and FORCE_AGENT_SCRIPT_SIGNERS to override private signers
Also available in: Atom
PDF