Bug 1200767

Summary: [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)
Product: Red Hat Enterprise Linux 7 Reporter: Martin Kosek <mkosek>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: unspecified Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: high    
Version: 7.0CC: dkupka, ekeck, frenaud, ipa-qe, jcholast, jfenal, mbabinsk, nsoman, pvoborni, rcritten, rharwood
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.5.0-9.el7 Doc Type: Enhancement
Doc Text:
SSSD supports obtaining a Kerberos ticket when users authenticate with a smart card The System Security Services Daemon (SSSD) now supports the Kerberos PKINIT preauthentication mechanism. When authenticating with a smart card to a desktop client system enrolled in an Identity Management (IdM) domain, users receive a valid Kerberos ticket-granting ticket (TGT) if the authentication was successful. Users can then use the TGT for further single sign-on (SSO) authentication from the client system. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/sc-pkinit-auth.html.
Story Points: ---
Clone Of:
: 1427497 (view as bug list) Environment:
Last Closed: 2017-08-01 09:37:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1428484    
Bug Blocks: 1396494, 1399979, 1340711, 1411852, 1411858, 1427497    

Description Martin Kosek 2015-03-11 11:10:13 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4905

This requirement has several parts:

* Support of Smart Cards in SSSD ([https://fedorahosted.org/sssd/ticket/546 upstream ticket])
* API/CLI for configuring the trusted CA certificate in KDC (related - #616)
* Optionally, also #521 (Add dogtag support to generate KDC certificatesfor Pkinit)

Comment 1 Martin Kosek 2015-06-04 11:54:43 UTC
The current development status of this feature was discussed and it's scope will be limited for the first release. SC authentication will be LDAP-based (details in https://bugzilla.redhat.com/show_bug.cgi?id=854396#c6).

Kerberos authentication or automatic retrieval of user TGT after authentication (pkinit) will be postponed, given the functionality currently requires special certificate extension (id-pkinit-san) in order to properly map certificates and (user) principals. This is not guaranteed with the primary supported cards (CAC), so we would first need to work on extending our Kerberos backend to provide the mapping ourselves.

Comment 5 Petr Vobornik 2017-03-28 12:27:22 UTC
Note that the RFE is implemented, it works with new installs but there are still bugs in upgrades, which have to be fixed. But let's put these patches to current build to allow early testing of at least this.

Comment 8 Jan Cholasta 2017-04-26 13:41:24 UTC
We need to bump Requires on krb5 to 1.15.1-4 which resolves bug 1428484, moving back to ASSIGNED.

Comment 12 Scott Poore 2017-05-08 18:07:10 UTC
Verified.

Version ::
ipa-client-4.5.0-8.el7.x86_64
sssd-1.15.2-17.el7.x86_64

Results ::

### First the options for enabling/disabling anonymous pkinit support
### Also shows anonymous pkinit working

[root@dhcp129-184 ~]# ipa pkinit-anonymous enable

[root@dhcp129-184 ~]# kdestroy -A

[root@dhcp129-184 ~]# kinit -n

[root@dhcp129-184 ~]# ARMOR_CCACHE=$(klist|grep cache:|cut -d' ' -f3-)

[root@dhcp129-184 ~]# kinit -T $ARMOR_CCACHE admin@TESTRELM.TEST
Password for admin@TESTRELM.TEST: 

[root@dhcp129-184 ~]# ipa pkinit-anonymous disable

[root@dhcp129-184 ~]# kdestroy -A

### Also, to be thorough, a test with kinit using the smart card:

[root@dhcp129-184 ~]# kinit -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so demosc1
demosc1 (OpenSC Card)            PIN: 

[root@dhcp129-184 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_7XZIAfK
Default principal: demosc1@TESTRELM.TEST

Valid starting       Expires              Service principal
05/08/2017 12:06:24  05/09/2017 12:06:19  krbtgt/TESTRELM.TEST@TESTRELM.TEST


[root@dhcp129-184 ~]# kinit -n
kinit: Client's credentials have been revoked while getting initial credentials

[root@dhcp129-184 ~]# kinit admin
Password for admin@TESTRELM.TEST: 


### Now showing that we get a kerberos ticket when logging in using a smart card
### This example uses SU but, we saw the same behavior work with GDM logins

### First I setup users with and without certs.  the certs were generated by IPA.  The Smart Card had the users key and cert added manually with pkcs15-* commands.
### scuser107 does not have cert or certmapdata added
### demosc1 has both cert and certmapdata
### demosc2 has certmapdata only

[root@dhcp129-184 ~]# ipa user-show demosc1 |sed 's/MII.*$/MII.../'
  User login: demosc1
  First name: demosc
  Last name: demosc1
  Home directory: /home/demosc1
  Login shell: /bin/sh
  Principal name: demosc1@TESTRELM.TEST
  Principal alias: demosc1@TESTRELM.TEST
  Email address: demosc1@testrelm.test
  UID: 576400131
  GID: 576400131
  Certificate: MII...
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa user-show demosc2 |sed 's/MII.*$/MII.../'
  User login: demosc2
  First name: demosc2
  Last name: demosc2
  Home directory: /home/demosc2
  Login shell: /bin/sh
  Principal name: demosc2@TESTRELM.TEST
  Principal alias: demosc2@TESTRELM.TEST
  Email address: demosc2@testrelm.test
  UID: 576400132
  GID: 576400132
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa user-show scuser107 |sed 's/MII.*$/MII.../'
  User login: scuser107
  First name: f
  Last name: l
  Home directory: /home/scuser107
  Login shell: /bin/sh
  Principal name: scuser107@TESTRELM.TEST
  Principal alias: scuser107@TESTRELM.TEST
  Email address: scuser107@testrelm.test
  UID: 576400135
  GID: 576400135
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa certmaprule-find combined
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: combined
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))
  Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------

####################################################################
### Now the test showing su ask for pin and getting kerberos ticket
####################################################################

[root@dhcp129-184 ~]# su - demosc1 -c 'kdestroy -A'

[root@dhcp129-184 ~]# su - demosc1 -c klist
klist: Credentials cache keyring 'persistent:576400131:krb_ccache_Yova6yX' not found

[root@dhcp129-184 ~]# su - scuser107 
Last login: Mon May  8 11:56:17 MDT 2017 on pts/0

-sh-4.2$ whoami
scuser107

-sh-4.2$ su - demosc1 -c 'klist'
PIN for demosc1 (OpenSC Card) for user demosc1@testrelm.test
Ticket cache: KEYRING:persistent:576400131:krb_ccache_ndRgXGh
Default principal: demosc1@TESTRELM.TEST

Valid starting       Expires              Service principal
05/08/2017 11:57:34  05/09/2017 11:57:32  krbtgt/TESTRELM.TEST@TESTRELM.TEST

### Then as second user with certmapdata:

[root@dhcp129-184 ~]# su - demosc2 -c 'kdestroy -A'

[root@dhcp129-184 ~]# su - demosc2 -c 'klist'
klist: Credentials cache keyring 'persistent:576400132:krb_ccache_ZAnYcCH' not found

[root@dhcp129-184 ~]# su - scuser107 
Last login: Mon May  8 11:57:11 MDT 2017 on pts/0

-sh-4.2$ whoami
scuser107

-sh-4.2$ su - demosc2 -c 'klist'
PIN for demosc1 (OpenSC Card) for user demosc2@testrelm.test
Ticket cache: KEYRING:persistent:576400132:krb_ccache_9Or3NnY
Default principal: demosc2@TESTRELM.TEST

Valid starting       Expires              Service principal
05/08/2017 11:59:07  05/09/2017 11:59:05  krbtgt/TESTRELM.TEST@TESTRELM.TEST

Comment 15 Martin Kosek 2017-05-26 09:39:35 UTC
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!

Comment 16 errata-xmlrpc 2017-08-01 09:37:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304