I'm trying to install the development tools for a small team, and I can't get the authentication right.
Since we are a distributed team, the server is on the internet. And I'd like to have SSO+zero client configuration.
So basically git over https+webdav is impractical, because the git client can only use basic auth but doesn't save the password and some IDE plugin don't even forward the password question in their UI.
I have to use git over ssh then. I installed gitosis and it basically works with asymmetric keys, ok. I'll have to ask each dev to install their key, I can do that, forget zero configuration.
Then I want the developers to access the web tools (wiki, tickets, etc.) that are on https, but this time I have to give them either a login/password or another private key just because the formats aren't compatible between SSH and SSL and the place to store it on the OS is not the same. Now, I have to forget the SSO?
Am I mistaken?
Best Answer
TL;DR summary: If you have a SSL/X.509 certificate+key, just give the private key file to
ssh
. Or, if you already have a SSH key inid_rsa
, just use it with OpenSSL when signing a CSR. That's all.Let's assume you have an user's SSL certificate in
joeuser.pem
and its private key injoeuser.key
.Since X.509 uses standard RSA keys, and so does SSH, you should be able to just tell your SSH client to use
joeuser.key
-- the only requirement is that it be in an understandable format.Look at the insides of
joeuser.key
and check if it looks kinda like this:In OpenSSL, this format is called "PEM" (as in
-outform pem
) and is used by default. The same format is used by OpenSSH, and you can usessh -i joeuser.key
to connect.You can extract the public key in OpenSSH
id_rsa.pub
format (for putting intoauthorized_keys
) with:(The same public key in PEM format can be extracted with
openssl rsa -pubout
, but it will be of little use.)If you have a DSA key, it should work exactly the same like RSA.