starred/the-bastion
1
0
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2026-05-09 08:25:27 +02:00
Code Issues 46 Projects Packages Wiki Activity

[GH-ISSUE #33] PIV verification status communicated to remote realms #12

New issue
Closed
opened 2026-05-07 00:17:21 +02:00 by BreizhHardware · 6 comments
BreizhHardware commented 2026-05-07 00:17:21 +02:00
Owner
Copy link

Originally created by @vmalguy on GitHub (Nov 5, 2020).
Original GitHub issue: https://github.com/ovh/the-bastion/issues/33

In a multi-realm deployment infra, remote realm should send PIV informations to the local bastion.
This could be use to enforce local Multi-Factor Authentication policies even for realm users.

Originally created by @vmalguy on GitHub (Nov 5, 2020). Original GitHub issue: https://github.com/ovh/the-bastion/issues/33 In a multi-realm deployment infra, remote realm should send [PIV informations](https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html) to the local bastion. This could be use to enforce local Multi-Factor Authentication policies even for realm users.
BreizhHardware 2026-05-07 00:17:21 +02:00
  • closed this issue
  • added the
    feature
         label
BreizhHardware commented 2026-05-07 00:17:22 +02:00
Author
Owner
Copy link

@Alkorin commented on GitHub (Nov 5, 2020):

PIV doesn't mean MFA. It only proves that the private key is stored in a secure physical device.

Do you need MFA aswell ?

<!-- gh-comment-id:722416455 --> @Alkorin commented on GitHub (Nov 5, 2020): PIV doesn't mean MFA. It only proves that the private key is stored in a secure physical device. Do you need MFA aswell ?
BreizhHardware commented 2026-05-07 00:17:22 +02:00
Author
Owner
Copy link

@speed47 commented on GitHub (Nov 5, 2020):

Interesting use case. I think the remote bastion can also pass some more information to the local one, such as:

  • Was MFA enabled for this user?
  • Is it a PIV-enforced user ?

Then on the local bastion, you might be able to specify some policies that will be enforced, something along the lines of:

realmModify --realm eu --piv-policy enforce

... which would deny any remote user not having PIV enforced on his local bastion

<!-- gh-comment-id:722416578 --> @speed47 commented on GitHub (Nov 5, 2020): Interesting use case. I think the remote bastion can also pass some more information to the local one, such as: - Was MFA enabled for this user? - Is it a PIV-enforced user ? Then on the local bastion, you might be able to specify some policies that will be enforced, something along the lines of: ``` realmModify --realm eu --piv-policy enforce ``` ... which would deny any remote user not having PIV enforced on his local bastion
BreizhHardware commented 2026-05-07 00:17:23 +02:00
Author
Owner
Copy link

@vmalguy commented on GitHub (Nov 5, 2020):

PIV doesn't mean MFA. It only proves that the private key is stored in a secure physical device.

Do you need MFA aswell ?

anything that could help enforce access policies

Interesting use case. I think the remote bastion can also pass some more information to the local one, such as:

  • Was MFA enabled for this user?
  • Is it a PIV-enforced user ?

Then on the local bastion, you might be able to specify some policies that will be enforced, something along the lines of:

realmModify --realm eu --piv-policy enforce

... which would deny any remote user not having PIV enforced on his local bastion

When it come to PIV, I like some flexibility.
Per realm is good but how about also per group or host or user ?

<!-- gh-comment-id:722419134 --> @vmalguy commented on GitHub (Nov 5, 2020): > PIV doesn't mean MFA. It only proves that the private key is stored in a secure physical device. > > Do you need MFA aswell ? anything that could help enforce access policies > Interesting use case. I think the remote bastion can also pass some more information to the local one, such as: > > * Was MFA enabled for this user? > * Is it a PIV-enforced user ? > > Then on the local bastion, you might be able to specify some policies that will be enforced, something along the lines of: > > ``` > realmModify --realm eu --piv-policy enforce > ``` > > ... which would deny any remote user not having PIV enforced on his local bastion When it come to PIV, I like some flexibility. Per realm is good but how about also per group or host or user ?
BreizhHardware commented 2026-05-07 00:17:23 +02:00
Author
Owner
Copy link

@Alkorin commented on GitHub (Nov 5, 2020):

Per realm is good but how about also per group or host or user ?

The main goal of realm is to not have the notion of user in the local bastion. Authentication is delegated to the distant bastion.
But we could have this check on groups so that a distant user can't use the group if he didn't used its PIV key to connect to the distant bastion.

<!-- gh-comment-id:722422925 --> @Alkorin commented on GitHub (Nov 5, 2020): > Per realm is good but how about also per group or host or user ? The main goal of realm is to not have the notion of user in the local bastion. Authentication is delegated to the distant bastion. But we could have this check on groups so that a distant user can't use the group if he didn't used its PIV key to connect to the distant bastion.
BreizhHardware commented 2026-05-07 00:17:24 +02:00
Author
Owner
Copy link

@speed47 commented on GitHub (Nov 5, 2020):

Could be done too, even if it would be a bit more complex:

realm-wide setting:

realmModify --realm eu --piv-policy none|enforce

group-wide setting:

groupModify --group blah --piv-policy none|enforce

per-host: not really doable, because nobody has the authority over a given host, from the point of view of the bastion: a host can be in 2 distinct groups for that matter, with 2 distinct owners. Or a group can be 0.0.0.0/0 and have all the possible hosts in it.

But then, you might also want to grant an account the right to bypass the realm-wide policy, because this account might be a robot and doesn't have the required hand to click on his PIV key...

This is what has been done for password MFA and TOTP MFA:

accountModify --account joe --mfa-totp-required yes|no|bypass
accountModify --account joe --mfa-password-required yes|no|bypass
<!-- gh-comment-id:722429977 --> @speed47 commented on GitHub (Nov 5, 2020): Could be done too, even if it would be a bit more complex: realm-wide setting: ``` realmModify --realm eu --piv-policy none|enforce ``` group-wide setting: ``` groupModify --group blah --piv-policy none|enforce ``` per-host: not really doable, because nobody has the authority over a given host, from the point of view of the bastion: a host can be in 2 distinct groups for that matter, with 2 distinct owners. Or a group can be 0.0.0.0/0 and have all the possible hosts in it. But then, you might also want to grant an account the right to bypass the realm-wide policy, because this account might be a robot and doesn't have the required hand to click on his PIV key... This is what has been done for password MFA and TOTP MFA: ``` accountModify --account joe --mfa-totp-required yes|no|bypass accountModify --account joe --mfa-password-required yes|no|bypass ```
BreizhHardware commented 2026-05-07 00:17:24 +02:00
Author
Owner
Copy link

@speed47 commented on GitHub (Nov 5, 2020):

In any case @Alkorin we'll need yubico-piv-checker ;)

<!-- gh-comment-id:722499208 --> @speed47 commented on GitHub (Nov 5, 2020): In any case @Alkorin we'll need `yubico-piv-checker` ;)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
expifix
groupcreate_fix_uid
fix_group_gid_fast
gh-pages
clush
expiration
jsonvalidator
v3.23.01
v3.23.00
v3.22.00
v3.21.00
v3.20.00
v3.19.01
v3.19.00
v3.18.99-rc1
v3.18.00
v3.17.01
v3.17.00
v3.16.99-rc3
v3.16.99-rc2
v3.16.99-rc1
v3.16.01
v3.16.00
v3.15.00
v3.14.16
v3.14.15
v3.14.00
v3.13.01
v3.13.00
v3.12.00
v3.11.02
v3.11.01
v3.11.00
v3.10.00
v3.09.02
v3.09.00-really
v3.09.00
v3.09.00-rc3
v3.09.00-rc2
v3.09.00-rc1
v3.08.01
v3.08.00
v3.07.00
v3.06.00
v3.05.01
v3.05.00
v3.04.00
v3.03.99-rc2
v3.03.99-rc1
v3.03.01
v3.03.00
v3.02.00
v3.01.99-rc4
v3.01.99-rc3
v3.01.99-rc2
v3.01.99-rc1
v3.01.03
v3.01.02
v3.01.01
v3.01.00
v3.00.02
v3.00.01
v3.00.00
Labels
Clear labels   
answered

   
bug

   
documentation

   
enhancement

   
enhancement

   
feature

   
feature

   
kept-open-for-info

   
pull-request
Mirrored from GitHub Pull Request

  
question
No labels
answered
bug
documentation
enhancement
enhancement
feature
feature
kept-open-for-info
pull-request
question
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/the-bastion#12
No description provided.