[jboss-as7-dev] How hard would it be to support key based auth by default to make life simpler and more secure ?

David M. Lloyd david.lloyd at redhat.com
Mon Nov 14 10:10:22 EST 2011 

On 11/14/2011 05:40 AM, Max Rydahl Andersen wrote:
>>>>
>>>> These will make all examples that uses maven deploy plugin, cli scripts, arquillian, jboss tools etc. to somehow
>>>> either tell users to type in their username and full password in clear text in pom.xml and other files.
>>>>
>>>> Which sounds worse to me than a default locked down to only localhost…but I'm not a security expert :)
>>>>
>>>> I was wondering how hard it would be to make the authentication support key based auth by default and we make
>>>> the tools use ${user.name} and ${user.home}/.jboss/default.pub and .priv (or some other name) for the public/private keys ?
>>>
>>> You would need a key-based SASL authentication mechanism.  There are no
>>> standard ones as of right now.  If you know of a key-based SASL
>>> mechanism that you think we should support, let me know and we'll
>>> evaluate it.
>>
>> We would have to do noauth + SSL + trust. I think it's an option worth considering. The big problem though is that we have to have a setup process to generate the certs, which is greater complexity than the user/pass option. We would have to generate a host key pair and a client key pair.
>
>
> I'm not an expert on these things at all but eclipse uses http://www.jcraft.com/jsch/ to manage and create ssh keys and uses the standard .ssh location's etc.
>
> Is something additional needed ?

Yeah, an authentication mechanism that uses SSH keys.  There is none 
currently.

Again, we can use any combination of SASL and TLS for authentication. 
Neither spec (to my knowledge) has a simple key-based client 
authentication mechanism (TLS is cert-based; SASL could support such a 
mechanism but none presently exist).  If such a mechanism were to be 
defined, we could evaluate using it.  If we were to use such a 
mechanism, we would obviously want to have good tooling to back it up. 
Perhaps you might even considering contributing one (though I'd strongly 
recommend consulting with security experts if you do).

As an aside, as far as I can tell SASL has the best shot at supporting 
client key authentication as it has the simplest SPI.  JSSE has a 
similar conceptual model but is considerably more complex 
implementation-wise and I'd be very cautious about defining new 
algorithms for it.  Yeah this excludes HTTP (unless something like this 
[1] gets resurrected).  However I'm quite skeptical that HTTP would be 
expected to use the same mechanism.

Also, even if we did support such an algorithm, the initial server-side 
key generation doesn't necessarily have to impact boot time; in fact it 
should only come into play either (a) when a user explicitly requests 
the server key, or (b) when a user attempts to authenticate using 
key-based authentication.

[1] https://datatracker.ietf.org/doc/draft-nystrom-http-sasl/

-- 
- DML

More information about the jboss-as7-dev mailing list