Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Client certificate authentication in zypper

  1. #1

    Question Client certificate authentication in zypper

    I have some private repositories that kiosks connect to over SSL. I don't want to use basic auth as it's not very secure for a variety of reasons (for example, the password is sent every connection, giving a large attack surface).
    On distros with yum I've been able to use client certificate authentication by simply setting sslclientkey=<keyfile> and sslclientcert=<certfile> in the .repo files. However, I can't find anything about client certificates in the zypper documentation. Are client certificates not supported in zypper like they are in yum? Any suggested workarounds, other than falling back to basic auth or going over SSH instead of HTTPS?

  2. #2
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,375
    Blog Entries
    1

    Default Re: Client certificate authentication in zypper

    This might go some way to showing how trusted root certificates can be used with openSUSE

    https://blog.hqcodeshop.fi/archives/...-openSUSE.html

    That's about all I can offer.

  3. #3
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Client certificate authentication in zypper

    On 2015-05-14 08:56, Prune wrote:

    > On distros with yum I've been able to use client certificate
    > authentication by simply setting sslclientkey=<keyfile> and
    > sslclientcert=<certfile> in the .repo files. However, I can't find
    > anything about client certificates in the zypper documentation. Are
    > client certificates not supported in zypper like they are in yum?


    Zypper uses GPG certification.

    I don't know if some mirrors do setup https, but the overall system
    doesn't rely in it, as mirrors are chosen almost randomly and most use
    plain http or ftp.

    --
    Cheers / Saludos,

    Carlos E. R.

    (from 13.1 x86_64 "Bottle" (Minas Tirith))

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,273
    Blog Entries
    2

    Default Re: Client certificate authentication in zypper

    Based purely on observation and not in any way bolstered by closely inspecting the sessions...

    SSL is used only to encrypt the session and is not relied upon for authentication (although I would think that openssl patches within last couple years likely enforce authenticating the server).
    When you originally configure a repository, openSUSE (and zypper or yast or whatever) will prompt for the GPG's public certificate if it's not already in the local certificate store. When automating setting up a repository, this can be overcome by automatically agreeing or not verifying. You can inspect the various repository security options with the following command (ar is the switch that adds a repo)
    Code:
    zypper ar --help
    HTH,
    TSU

  5. #5

    Default Re: Client certificate authentication in zypper

    Quote Originally Posted by robin_listas View Post
    Zypper uses GPG certification.
    It does, but GPG provides verification of the downloaded code, not authentication of the client to the repository.

    In any case, I have filed a bug report: https://bugzilla.opensuse.org/show_bug.cgi?id=932393

  6. #6
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Client certificate authentication in zypper

    On 2015-05-27 05:26, Prune wrote:
    >
    > robin_listas;2709976 Wrote:
    >>
    >> Zypper uses GPG certification.
    >>

    > It does, but GPG provides verification of the downloaded code, not
    > authentication of the client to the repository.


    Why do you need to authenticate the client to the server (the repo
    server)? I don't see the need at all.

    > In any case, I have filed a bug report:
    > https://bugzilla.opensuse.org/show_bug.cgi?id=932393


    You say there:

    |> Private repositories have important use cases, and that makes
    authentication of the package manager to the repository a concern.
    |> Unfortunately, zypper only seems to support basic authentication.
    However, basic authentication even over TLS doesn't provide good security.
    |> The large attack window caused by sending the password with every
    request is just one of numerous issues ([1], [2], and many others).

    Why do you need to send any password at all? I don't. I don't think
    anybody does, as the openSUSE download site doesn't request any password
    or authentication.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,273
    Blog Entries
    2

    Default Re: Client certificate authentication in zypper

    Quote Originally Posted by Prune View Post
    It does, but GPG provides verification of the downloaded code, not authentication of the client to the repository.

    In any case, I have filed a bug report: https://bugzilla.opensuse.org/show_bug.cgi?id=932393
    You aren't authenticating the client to the server, you're authenticating (verifying the identity) of the source repository you're connecting to.
    Should be logical, when you download apps to your machine and update/patch your machine, wouldn't you want some way of knowing that you're getting that from a real, official source and not someone impersonating? Wouldn't you want some protection against someone trying to insert malware into your system?

    That is why,
    As the client you accept the GPG public certificate issued by the repository.
    The public certificate is kind of like a password (or secret) which due to how certificates work can be transferred in the open without compromising its functionality. if you want to understand how this works, I recommend you do a search using the keywords "pki public key infrastructure"

    TSU

  8. #8
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Client certificate authentication in zypper

    On 2015-05-27 16:16, tsu2 wrote:

    > You aren't authenticating the client to the server, you're
    > authenticating (verifying the identity) of the source repository you're
    > connecting to.
    > Should be logical, when you download apps to your machine and
    > update/patch your machine, wouldn't you want some way of knowing that
    > you're getting that from a real, official source and not someone
    > impersonating? Wouldn't you want some protection against someone trying
    > to insert malware into your system?


    That's so. The repository itself is identified by a GPG signature. It
    doesn't matter what mirror serves it, official or not, as long as the
    GPG checks (and zypper does verify this). And this way mirrors don't
    need to pay for the certificates used on https servers.

    Also repos can work via plain FTP.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  9. #9

    Default Re: Client certificate authentication in zypper

    Quote Originally Posted by robin_listas View Post
    Why do you need to authenticate the client to the server (the repo
    server)? I don't see the need at all.
    Why do you need to authenticate to your bank when you want to check your statements online? Because what you get back—the display of your transaction history—is private information!
    Note I wrote "private repositories" in the original post. I don't want public access to packages of internal company software intended solely for distribution to the trusted client machines (kiosks).
    Here's another way to look at it: why does zypper support basic authentication (through the usernameassword@url syntax) if you don't need authentication? And why does yum support both that, as well as client certificate authentication? Because lack of authentication restricts use cases to only public repositories.

  10. #10
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Client certificate authentication in zypper

    On 2015-05-27 21:36, Prune wrote:
    >
    > robin_listas;2712281 Wrote:
    >>
    >> Why do you need to authenticate the client to the server (the repo
    >> server)? I don't see the need at all.


    > Note I wrote "private repositories" in the original post. I don't want
    > public access to packages of internal company software intended solely
    > for distribution to the trusted client machines (kiosks).


    You did not say this before. It changes the issue completely.

    I suggest you explain this in the Bugzilla, or it will go ignored.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •