W3cubDocs

/SaltStack

salt.auth.pki

Authenticate via a PKI certificate.

Note

This module is Experimental and should be used with caution

Provides an authenticate function that will allow the caller to authenticate a user via their public cert against a pre-defined Certificate Authority.

TODO: Add a 'ca_dir' option to configure a directory of CA files, a la Apache.

depends:
  • pyOpenSSL module

salt.auth.pki.auth(username, password, **kwargs)

Returns True if the given user cert (password is the cert contents) was issued by the CA and if cert's Common Name is equal to username.

Returns False otherwise.

username: we need it to run the auth function from CLI/API;
it should be in master config auth/acl
password: contents of user certificate (pem-encoded user public key);
why "password"? For CLI, it's the only available name

Configure the CA cert in the master config file:

external_auth:
  pki:
    ca_file: /etc/pki/tls/ca_certs/trusted-ca.crt
    your_user:
      - .*

© 2019 SaltStack.
Licensed under the Apache License, Version 2.0.
https://docs.saltstack.com/en/latest/ref/auth/all/salt.auth.pki.html