Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Abandon key.pem file to on-the-fly key validation #4

Closed
SJCaldwell opened this issue Jan 24, 2017 · 4 comments
Closed

Abandon key.pem file to on-the-fly key validation #4

SJCaldwell opened this issue Jan 24, 2017 · 4 comments
Assignees
@Jnchi
Labels
enhancement wontfix

Comments

@SJCaldwell
Copy link

SJCaldwell commented Jan 24, 2017
edited by Jnchi
Loading

Static keys don't allow for rolling changes with Microsoft's public key.

It is important to note that these keys rollover on a periodic basis and, in an emergency, could be rolled over immediately. All applications that use Azure AD should be able to programmatically handle the key rollover process or establish a periodic manual rollover process.

As Microsoft states here, those applications that roll their own API interaction instead of using a supported azure library will have to be wary to update public keys.

As a security-critical application, we cannot afford to have a static key that needs updating.

We must be able to poll Microsoft's key repository to ensure our key is up-to-date. I used a node library to convert the jwk to a pem file that openssl could use for validation previously, but I'll have to do it in C code (int jwk_to_pem_rsa(cJSON jwk){...}) instead.
@Jnchi Jnchi added the question label Nov 30, 2018
@Jnchi Jnchi added this to the 0.0.2 milestone Nov 30, 2018
@Jnchi
Copy link
Contributor

Jnchi commented Nov 30, 2018
edited
Loading

Static keys don't allow for rolling changes with Microsoft's public key.

It is important to note that these keys rollover on a periodic basis and, in an emergency, could be rolled over immediately. All applications that use Azure AD should be able to programmatically handle the key rollover process or establish a periodic manual rollover process.

As Microsoft states here, those applications that roll their own API interaction instead of using a supported azure library will have to be wary to update public keys.

As a security-critical application, we cannot afford to have a static key that needs updating.

We must be able to poll Microsoft's key repository to ensure our key is up-to-date. I used a node library to convert the jwk to a pem file that openssl could use for validation previously, but I'll have to do it in C code (int jwk_to_pem_rsa(cJSON jwk){...}) instead.

aadd - Azure Active Directory Daemon?

Source: src/getkeys.c

See also: pam_ftp, pam_mkhomedir, pam_userdb

LDAP authentication using pam_ldap and nss_ldap

Simple example of daemon for Linux (GitHub)

@Jnchi Jnchi removed the question label Nov 30, 2018
@Jnchi Jnchi self-assigned this Nov 30, 2018
@Jnchi

This comment has been minimized.

Sign in to view
@Jnchi

This comment has been minimized.

Sign in to view
@Jnchi
Copy link
Contributor

Jnchi commented Dec 3, 2018

https://github.com/CyberNinjas/pam_useradd

@Jnchi Jnchi added the wontfix label Dec 7, 2018
@Jnchi Jnchi closed this as completed Dec 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Jnchi Jnchi

Labels
enhancement wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SJCaldwell @Jnchi