Bug 1405075

Summary: [RFE] Add PKINIT support to SSSD Kerberos provider
Product: Red Hat Enterprise Linux 7 Reporter: Sumit Bose <sbose>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: unspecified Docs Contact: Aneta Šteflová Petrová <apetrova>
Priority: high    
Version: 7.3CC: apetrova, grajaiya, hristo, ipa-qe, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, nsoman, pbrezina, sbose
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.15.1-1.el7 Doc Type: Enhancement
Doc Text:
See doc text in https://bugzilla.redhat.com/show_bug.cgi?id=1200767
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:02:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sumit Bose 2016-12-15 14:19:25 UTC 
This is the client side ticket for the FreeIPA/IdM ticket https://bugzilla.redhat.com/show_bug.cgi?id=1200767.

SSSD should be able to determine if pkinit is available for the user and prompt for a Smartcard PIN if pkinit is available and a Smartcard is inserted or if only pkinit if available for authentication.
Comment 1 Jakub Hrozek 2016-12-15 15:25:14 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3270
Comment 2 Hristo Venev 2017-01-03 23:14:18 UTC 
Does this block https://bugzilla.redhat.com/show_bug.cgi?id=998545 ?
Comment 3 Sumit Bose 2017-01-04 09:06:05 UTC 
(In reply to Hristo Venev from comment #2)
> Does this block https://bugzilla.redhat.com/show_bug.cgi?id=998545 ?

No, not in general. PKINIT is only needed if you have a Kerberos infrastructure which can handle PKINIT.

Smartcard authentication to the local system without getting a Kerberos ticket is currently already available in Fedora/RHEL for users managed by LDAP, AD or FreeIPA. Unfortunately SSSD can currently not handle Smartcard authentication for local user from /etc/passwd, but this is planned for the next release.
Comment 5 Jakub Hrozek 2017-02-23 10:03:24 UTC 
master:
    2d527aa
    52f4583
    ead25e3
    82c5971
    dd17a3a
    f70d946
    d475744
    254f389
    327a166
    f561c2b
Comment 6 Jakub Hrozek 2017-02-23 10:03:52 UTC 
Can we get a qa_ack, please?
Comment 8 Sumit Bose 2017-05-05 18:49:36 UTC 
Hi Aneta,

it was mentioned in 
https://bugzilla.redhat.com/show_bug.cgi?id=1448236 that the changes to krb5.conf described in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html should be mentioned for this SSSD feature as well. The important options for the SSSD feature are pkinit_anchors and in some cases pkinit_kdc_hostname (this is typically needed when using AD). pkinit_cert_match should net be used because this will be set by SSSD.

I'm setting needinfo so that you can set the doc related options accordingly.
Comment 9 Scott Poore 2017-05-08 18:07:28 UTC 
Verified.  Using same as bug #1200767

Version ::
ipa-client-4.5.0-8.el7.x86_64
sssd-1.15.2-17.el7.x86_64

Results ::

### First I setup users with and without certs.  the certs were generated by IPA.  The Smart Card had the users key and cert added manually with pkcs15-* commands.
### scuser107 does not have cert or certmapdata added
### demosc1 has both cert and certmapdata
### demosc2 has certmapdata only

[root@dhcp129-184 ~]# ipa user-show demosc1 |sed 's/MII.*$/MII.../'
  User login: demosc1
  First name: demosc
  Last name: demosc1
  Home directory: /home/demosc1
  Login shell: /bin/sh
  Principal name: demosc1
  Principal alias: demosc1
  Email address: demosc1
  UID: 576400131
  GID: 576400131
  Certificate: MII...
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa user-show demosc2 |sed 's/MII.*$/MII.../'
  User login: demosc2
  First name: demosc2
  Last name: demosc2
  Home directory: /home/demosc2
  Login shell: /bin/sh
  Principal name: demosc2
  Principal alias: demosc2
  Email address: demosc2
  UID: 576400132
  GID: 576400132
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa user-show scuser107 |sed 's/MII.*$/MII.../'
  User login: scuser107
  First name: f
  Last name: l
  Home directory: /home/scuser107
  Login shell: /bin/sh
  Principal name: scuser107
  Principal alias: scuser107
  Email address: scuser107
  UID: 576400135
  GID: 576400135
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa certmaprule-find combined
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: combined
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))
  Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------

####################################################################
### Now the test showing su ask for pin and getting kerberos ticket
####################################################################

[root@dhcp129-184 ~]# su - demosc1 -c 'kdestroy -A'

[root@dhcp129-184 ~]# su - demosc1 -c klist
klist: Credentials cache keyring 'persistent:576400131:krb_ccache_Yova6yX' not found

[root@dhcp129-184 ~]# su - scuser107 
Last login: Mon May  8 11:56:17 MDT 2017 on pts/0

-sh-4.2$ whoami
scuser107

-sh-4.2$ su - demosc1 -c 'klist'
PIN for demosc1 (OpenSC Card) for user demosc1
Ticket cache: KEYRING:persistent:576400131:krb_ccache_ndRgXGh
Default principal: demosc1

Valid starting       Expires              Service principal
05/08/2017 11:57:34  05/09/2017 11:57:32  krbtgt/TESTRELM.TEST

### Then as second user with certmapdata:

[root@dhcp129-184 ~]# su - demosc2 -c 'kdestroy -A'

[root@dhcp129-184 ~]# su - demosc2 -c 'klist'
klist: Credentials cache keyring 'persistent:576400132:krb_ccache_ZAnYcCH' not found

[root@dhcp129-184 ~]# su - scuser107 
Last login: Mon May  8 11:57:11 MDT 2017 on pts/0

-sh-4.2$ whoami
scuser107

-sh-4.2$ su - demosc2 -c 'klist'
PIN for demosc1 (OpenSC Card) for user demosc2
Ticket cache: KEYRING:persistent:576400132:krb_ccache_9Or3NnY
Default principal: demosc2

Valid starting       Expires              Service principal
05/08/2017 11:59:07  05/09/2017 11:59:05  krbtgt/TESTRELM.TEST
Comment 13 Martin Kosek 2017-05-26 09:40:13 UTC 
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!
Comment 14 errata-xmlrpc 2017-08-01 09:02:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294